EFS restriction of Administrator on Server 2003

EFS restriction of Administrator on Server 2003
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
EFS restriction of Administrator on Server 2003 supermoocow 07-08-2005
Posted by on July 8, 2005, 3:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi
I was wondering if there was anyway of deligating EFS permissions and
certificate control to a user other than the system Administrator?
Is it possible to restrict the system Administrator so that data
protected by EFS is protected from the system Administrator?

Any advise or help will be greatfully recieved.


Posted by Roger Abell on July 8, 2005, 10:01 am
If you were  Registered and logged in, you could reply and use other advanced thread options
If what you are after is controlling use of the default recovery
agent (DRA) in order to keep EFS data privately encrypted and
not available to anyone with access to the DRA account, then
yes, you can define whatever account you decide upon to be
the DRA and do not need to keep it as the original Administrator.
The MS website has writeups on doing this, which has not
really changed with Windows 2003, and also has a new
writeup on EFS practices for Windows 2003.

But, is that what you are asking about?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
> Hi
> I was wondering if there was anyway of deligating EFS permissions and
> certificate control to a user other than the system Administrator?
> Is it possible to restrict the system Administrator so that data
> protected by EFS is protected from the system Administrator?
>
> Any advise or help will be greatfully recieved.
>



Posted by Steven L Umbach on July 8, 2005, 11:28 am
If you were  Registered and logged in, you could reply and use other advanced thread options
In a domain you can make any user a Recovery Agent or not have a RA if the
computers are XP Pro. However any domain administrator could create a RA if
they so wished or possibly enable archiving of user certificates and
ultimately decrypt any EFS files on domain computers that they have access
to either via files they are RA on or resetting the "domain" password for a
"domain" user, logging on as them, and decrypting the files. In my opinion
in a domain EFS files should not be considered secure from anyone with
domain administrator powers who have such legitimately or not. A lot of the
risk depends on the security practices in your domain and how trustworthy
the domain administrators are.

EFS is the most secure on a stand alone computers using XP Pro/Windows 2003
where the computer owner follows best practices such as using VERY strong
user password or better yet exporting/deleting their EFS certificate/private
key [and RA if used] anytime their computer is at risk of physical access by
malicious users. If you are considering implementing EFS be sure to
read/understand documentation on it first including best practices. ---
Steve

http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx

> Hi
> I was wondering if there was anyway of deligating EFS permissions and
> certificate control to a user other than the system Administrator?
> Is it possible to restrict the system Administrator so that data
> protected by EFS is protected from the system Administrator?
>
> Any advise or help will be greatfully recieved.
>



Similar ThreadsPosted
Re: server 2003 administrator password June 12, 2005, 10:22 am
Server access restriction June 30, 2005, 10:16 pm
Domain Administrator cannot logon to SBS 2003 LOCALLY January 24, 2006, 6:28 am
Can not use UNC path in Windows server 2003 server 64 bit OS September 30, 2005, 4:19 pm
should i have to rename administrator on domain server. April 24, 2006, 2:46 pm
Software Restriction GPO Problem August 29, 2005, 4:52 pm
Account logon time restriction violation March 31, 2008, 11:31 am
Re: There is a serious problem within Server 2003 SP1. July 17, 2005, 12:25 am
RE: WIndows Server 2003 July 29, 2005, 12:16 am
using ICF on 2003 server in domain? September 14, 2005, 2:50 am

The site map in XML format XML site map

Contact Us | Privacy Policy