When EFS goes bad

[Guest David H. Lipman]

We are on an Active Directory Domain.

 

Recently, through Group Policy enforcement, EFS has been pushed to our users on notebooks.

 

Generally speaking things have gone well. However one of my users has run into a negative

consequence.

 

One of my users complained that he could no longer access one of his MS Outlook Archive

folders.

 

Examination found the 1.38GB to exist and Outlook was properly pointing to it. At first

it was thought that it was damaged so I ran the InBox Repair Tool. It indicated the PST

was Read-Only. When I examined the PST it did not have the Read-Only attribute but it was

encrypted. Under the end-user's account I tried to decrypt the file but I got "Access

Denied". All other PST files in the same folder (and all other data files for that

matter) were encrypted but the end-user had no problems opening any of them EXCEPT this

one 1.38GB PST file. [ a high crucial file! ]

 

Further examination showed a Domain service account attached to the file as

"svc.EFSRecovery.locale" (name obfuscated). I contacted the central organization

responsible for the Domain and they sent someone out to look at the end-user's PC and that

person spent 3 hours with no progress.

 

What went wrong with this one file ?

Can it be recovered ?

Can it be decrypted/re-encrypted using the user's account based certificate ?

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Dobromir Todorov]

Re: When EFS goes bad

 

What exectly did you configure in your Group Policy?

 

Did you remove any user certificates and associated private keys from that

user's computer?

 

--

---

HTH,

Dobromir

 

Learn more about Security and Identity Management:

Visit http://www.iamechanics.com

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:O5%23b7Mt4IHA.4392@TK2MSFTNGP03.phx.gbl...

> We are on an Active Directory Domain.

>

> Recently, through Group Policy enforcement, EFS has been pushed to our

> users on notebooks.

>

> Generally speaking things have gone well. However one of my users has run

> into a negative

> consequence.

>

> One of my users complained that he could no longer access one of his MS

> Outlook Archive

> folders.

>

> Examination found the 1.38GB to exist and Outlook was properly pointing to

> it. At first

> it was thought that it was damaged so I ran the InBox Repair Tool. It

> indicated the PST

> was Read-Only. When I examined the PST it did not have the Read-Only

> attribute but it was

> encrypted. Under the end-user's account I tried to decrypt the file but I

> got "Access

> Denied". All other PST files in the same folder (and all other data files

> for that

> matter) were encrypted but the end-user had no problems opening any of

> them EXCEPT this

> one 1.38GB PST file. [ a high crucial file! ]

>

> Further examination showed a Domain service account attached to the file

> as

> "svc.EFSRecovery.locale" (name obfuscated). I contacted the central

> organization

> responsible for the Domain and they sent someone out to look at the

> end-user's PC and that

> person spent 3 hours with no progress.

>

> What went wrong with this one file ?

> Can it be recovered ?

> Can it be decrypted/re-encrypted using the user's account based

> certificate ?

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

[Guest David H. Lipman]

Re: When EFS goes bad

 

From: "Dobromir Todorov" <dtodorov@msn.com>

 

| What exectly did you configure in your Group Policy?

 

| Did you remove any user certificates and associated private keys from that

| user's computer?

 

I no longer control the OU of our Domain. This is now done by a centralized organization.

Due to privacy issues, I can not elaborate.

 

We all use Smart Cards and all three Certs for his Smart Card were in his personal

Certificate Store. All current, none expired or revoked. He still had his Domain Account

cert in his store set to expire on 6/27/2108.

 

All other encrypted files can be decrypted w/o any problems. It is only this ONE PST that

he gets "access denied" on. :-(

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Dobromir Todorov]

Re: When EFS goes bad

 

Well, don't think anyone can help much without the details. The important

thing is that the File Encryption Key (FEK) used to actually encrypt the PST

file is encrypted in the user's and the Data Recovery Agent's (DRA) public

keys and is attached as metadata to the file. If the user has ALL the

private keys and associated certificates/public keys availalable, EFS will

use them all to try and decrypt the FEK, and access the content of the file.

If the private/public(certificate) key pair that was used to originally

encrypt the FEK is missing, the user will fail to open the file. Make sure

that the orginial set of certificates and associated keys is there.

 

Also, it may turn out that this user was say a local computer admin and was

able to open the file as a Data Recovery Agent (DRA), rather than as a user.

When you applied the policy, you may have set a new DRA for this file, and

the old one is now lost - hence the reason why he's not able to access the

file anymore.

 

--

---

HTH,

Dobromir

 

Learn more about Security and Identity Management:

Visit http://www.iamechanics.com

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:utuq2tt4IHA.4856@TK2MSFTNGP02.phx.gbl...

> From: "Dobromir Todorov" <dtodorov@msn.com>

>

> | What exectly did you configure in your Group Policy?

>

> | Did you remove any user certificates and associated private keys from

> that

> | user's computer?

>

> I no longer control the OU of our Domain. This is now done by a

> centralized organization.

> Due to privacy issues, I can not elaborate.

>

> We all use Smart Cards and all three Certs for his Smart Card were in his

> personal

> Certificate Store. All current, none expired or revoked. He still had

> his Domain Account

> cert in his store set to expire on 6/27/2108.

>

> All other encrypted files can be decrypted w/o any problems. It is only

> this ONE PST that

> he gets "access denied" on. :-(

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

[Guest Adam Stasiniewicz]

Re: When EFS goes bad

 

When you looked the properties of the file, from the General tab select

Advanced then Details. You will see all the certificates which can decrypt

the file. If you see a certificate in the top window that is not belonging

to the user, check with the maintainer of your CA if they key archival

enabled. If they do, have them provide you with the key pair for the

certificate so that you can decrypted the file. Otherwise, check the bottom

window. If there is a cert listed there (i.e. the DRA), ask your CA

maintainer to provide that certificate.

 

Either way, once you get the needed cert: import the cert (with private key)

into the local user store of a computer and copy the PST to a local drive.

Then you should be able to decrypt the file.

 

Hope that helps,

Adam Stasiniewicz

 

"Dobromir Todorov" <dtodorov@msn.com> wrote in message

news:uvzp%23Dz4IHA.4696@TK2MSFTNGP02.phx.gbl...

> Well, don't think anyone can help much without the details. The important

> thing is that the File Encryption Key (FEK) used to actually encrypt the

> PST file is encrypted in the user's and the Data Recovery Agent's (DRA)

> public keys and is attached as metadata to the file. If the user has ALL

> the private keys and associated certificates/public keys availalable, EFS

> will use them all to try and decrypt the FEK, and access the content of

> the file. If the private/public(certificate) key pair that was used to

> originally encrypt the FEK is missing, the user will fail to open the

> file. Make sure that the orginial set of certificates and associated keys

> is there.

>

> Also, it may turn out that this user was say a local computer admin and

> was able to open the file as a Data Recovery Agent (DRA), rather than as a

> user. When you applied the policy, you may have set a new DRA for this

> file, and the old one is now lost - hence the reason why he's not able to

> access the file anymore.

>

> --

> ---

> HTH,

> Dobromir

>

> Learn more about Security and Identity Management:

> Visit http://www.iamechanics.com

>

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

> news:utuq2tt4IHA.4856@TK2MSFTNGP02.phx.gbl...

>> From: "Dobromir Todorov" <dtodorov@msn.com>

>>

>> | What exectly did you configure in your Group Policy?

>>

>> | Did you remove any user certificates and associated private keys from

>> that

>> | user's computer?

>>

>> I no longer control the OU of our Domain. This is now done by a

>> centralized organization.

>> Due to privacy issues, I can not elaborate.

>>

>> We all use Smart Cards and all three Certs for his Smart Card were in his

>> personal

>> Certificate Store. All current, none expired or revoked. He still had

>> his Domain Account

>> cert in his store set to expire on 6/27/2108.

>>

>> All other encrypted files can be decrypted w/o any problems. It is only

>> this ONE PST that

>> he gets "access denied" on. :-(

>>

>> --

>> Dave

>> http://www.claymania.com/removal-trojan-adware.html

>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>>

>>

>

>

[Guest David H. Lipman]

Re: When EFS goes bad

 

From: "Adam Stasiniewicz" <nospam@nospam>

 

| When you looked the properties of the file, from the General tab select

| Advanced then Details. You will see all the certificates which can decrypt

| the file. If you see a certificate in the top window that is not belonging

| to the user, check with the maintainer of your CA if they key archival

| enabled. If they do, have them provide you with the key pair for the

| certificate so that you can decrypted the file. Otherwise, check the bottom

| window. If there is a cert listed there (i.e. the DRA), ask your CA

| maintainer to provide that certificate.

 

| Either way, once you get the needed cert: import the cert (with private key)

| into the local user store of a computer and copy the PST to a local drive.

| Then you should be able to decrypt the file.

 

| Hope that helps,

| Adam Stasiniewicz

 

Thanx.

 

The "certificate in the top window" did belong to the end-user.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Dobromir Todorov]

Re: When EFS goes bad

 

....and there was a private key in the user's profile that corresponded to

that certificate?

 

--

---

HTH,

Dobromir

 

Learn more about Security and Identity Management:

Visit http://www.iamechanics.com

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:OV$%23CO54IHA.3480@TK2MSFTNGP03.phx.gbl...

> From: "Adam Stasiniewicz" <nospam@nospam>

>

> | When you looked the properties of the file, from the General tab select

> | Advanced then Details. You will see all the certificates which can

> decrypt

> | the file. If you see a certificate in the top window that is not

> belonging

> | to the user, check with the maintainer of your CA if they key archival

> | enabled. If they do, have them provide you with the key pair for the

> | certificate so that you can decrypted the file. Otherwise, check the

> bottom

> | window. If there is a cert listed there (i.e. the DRA), ask your CA

> | maintainer to provide that certificate.

>

> | Either way, once you get the needed cert: import the cert (with private

> key)

> | into the local user store of a computer and copy the PST to a local

> drive.

> | Then you should be able to decrypt the file.

>

> | Hope that helps,

> | Adam Stasiniewicz

>

> Thanx.

>

> The "certificate in the top window" did belong to the end-user.

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

[Guest David H. Lipman]

Re: When EFS goes bad

 

From: "Dobromir Todorov" <dtodorov@msn.com>

 

| ...and there was a private key in the user's profile that corresponded to

| that certificate?

 

| --

| ---

| HTH,

| Dobromir

 

 

Yes. As I stated previously...

 

"We all use Smart Cards and all three Certs for his Smart Card were in his personal

Certificate Store. All current, none expired or revoked. He still had his Domain Account

cert in his store set to expire on 6/27/2108."

 

There were four certificates in his personal cert. store.

 

Three for his Smart Card and one matching the "certificate in the top window" also noted

previously in this thread.

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Brian Komar \(MVP\)]

Re: When EFS goes bad

 

Actually, that was not clear.

 

If you have the "correct" certificate, and in the properties of the

certificate it states that you have the private key associated with the

certificate the file should open. Here are my questions:

 

1) Is the svc.EFSRecovery.locale account listed as the user account able to

access the file?

2) Was a proper attempt performed to recover the file with a EFS Recovery

agent listed as the DRA for the file? I mean by this that an adminstrator

logged on to the system, imported the recovery certificate from the archived

PFX file, and then attempted the decryption.

3) No mention of OS in the thread. What OS is the client running?

4) If the client is running XP, then the EFS cert and the EFS REcovery agent

certificate *must* be in software. XP/2003 do not support the use of EFS or

EFS recovery agent certificates on smart cards.

5) Have you established a custom EFS certificate that archives the private

key in the CA database.

6) Did you prevent the use of self-signed certificates at clients. You can

accomplish this at XP/2003 with 912761 - Encrypting File System (EFS)

generates a self-signed certificate when you try to encrypt an EFS file on a

Windows XP-based computer. For Vista, this is accomplished through GPO.

 

HTH,

Brian

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:O$GHuA64IHA.1204@TK2MSFTNGP04.phx.gbl...

> From: "Dobromir Todorov" <dtodorov@msn.com>

>

> | ...and there was a private key in the user's profile that corresponded

> to

> | that certificate?

>

> | --

> | ---

> | HTH,

> | Dobromir

>

>

> Yes. As I stated previously...

>

> "We all use Smart Cards and all three Certs for his Smart Card were in his

> personal

> Certificate Store. All current, none expired or revoked. He still had

> his Domain Account

> cert in his store set to expire on 6/27/2108."

>

> There were four certificates in his personal cert. store.

>

> Three for his Smart Card and one matching the "certificate in the top

> window" also noted

> previously in this thread.

>

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

[Guest David H. Lipman]

Re: When EFS goes bad

 

From: "Brian Komar (MVP)" <brian.komar@nospam.identit.ca>

 

| Actually, that was not clear.

 

 

My apologies :-(

 

 

| If you have the "correct" certificate, and in the properties of the

| certificate it states that you have the private key associated with the

| certificate the file should open. Here are my questions:

 

| 1) Is the svc.EFSRecovery.locale account listed as the user account able to

| access the file?

 

Yes.

 

 

| 2) Was a proper attempt performed to recover the file with a EFS Recovery

| agent

| listed as the DRA for the file? I mean by this that an adminstrator

| logged on to the

| system, imported the recovery certificate from the archived

| PFX file, and then

| attempted the decryption.

 

 

My userstanding is that was attempted.

 

 

| 3) No mention of OS in the thread. What OS is the client

| running?

 

WinXP >= SP2

 

 

| 4) If the client is running XP, then the EFS cert and the EFS REcovery agent

| certificate *must* be in software. XP/2003 do not support the use of EFS or

| EFS recovery agent certificates on smart cards.

 

 

Right. Got it.

 

 

| 5) Have you established a custom EFS certificate that archives the private

| key in the CA database.

 

 

I have NO control over this and I don't know.

 

 

 

| 6) Did you prevent the use of self-signed certificates at clients. You can

| accomplish

| this at XP/2003 with 912761 - Encrypting File System (EFS)

| generates a self-signed

| certificate when you try to encrypt an EFS file on a

| Windows XP-based computer. For

| Vista, this is accomplished through GPO.

 

 

We do not use Self Signed certs. as this was pushed through GPO and EFSAssistant.

 

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Brian Komar \(MVP\)]

Re: When EFS goes bad

 

So based on your answers, the certificates on the smart card and are not

used as the OS does not support smart card based EFS.

The recovery may be possible if a password is available for the

svc.EFSRecover.locale account, and you log on locally as that account. Once

logged in, remove the encryption from the file

Brian

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:uyEAPHR5IHA.3768@TK2MSFTNGP02.phx.gbl...

> From: "Brian Komar (MVP)" <brian.komar@nospam.identit.ca>

>

> | Actually, that was not clear.

>

>

> My apologies :-(

>

>

> | If you have the "correct" certificate, and in the properties of the

> | certificate it states that you have the private key associated with the

> | certificate the file should open. Here are my questions:

>

> | 1) Is the svc.EFSRecovery.locale account listed as the user account able

> to

> | access the file?

>

> Yes.

>

>

> | 2) Was a proper attempt performed to recover the file with a EFS

> Recovery

> | agent

> | listed as the DRA for the file? I mean by this that an adminstrator

> | logged on to the

> | system, imported the recovery certificate from the archived

> | PFX file, and then

> | attempted the decryption.

>

>

> My userstanding is that was attempted.

>

>

> | 3) No mention of OS in the thread. What OS is the client

> | running?

>

> WinXP >= SP2

>

>

> | 4) If the client is running XP, then the EFS cert and the EFS REcovery

> agent

> | certificate *must* be in software. XP/2003 do not support the use of EFS

> or

> | EFS recovery agent certificates on smart cards.

>

>

> Right. Got it.

>

>

> | 5) Have you established a custom EFS certificate that archives the

> private

> | key in the CA database.

>

>

> I have NO control over this and I don't know.

>

>

>

> | 6) Did you prevent the use of self-signed certificates at clients. You

> can

> | accomplish

> | this at XP/2003 with 912761 - Encrypting File System (EFS)

> | generates a self-signed

> | certificate when you try to encrypt an EFS file on a

> | Windows XP-based computer. For

> | Vista, this is accomplished through GPO.

>

>

> We do not use Self Signed certs. as this was pushed through GPO and

> EFSAssistant.

>

>

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

[Guest David H. Lipman]

Re: When EFS goes bad

 

From: "Brian Komar (MVP)" <brian.komar@nospam.identit.ca>

 

| So based on your answers, the certificates on the smart card and are not

| used as the OS does not support smart card based EFS.

| The recovery may be possible if a password is available for the

| svc.EFSRecover.locale account, and you log on locally as that account. Once

| logged in, remove the encryption from the file

| Brian

 

The notebook was taken away by the central IT group.

 

We'll see what happens.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest David H. Lipman]

Re: When EFS goes bad

 

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

 

| From: "Brian Komar (MVP)" <brian.komar@nospam.identit.ca>

 

|| So based on your answers, the certificates on the smart card and are not

|| used as the OS does not support smart card based EFS.

|| The recovery may be possible if a password is available for the

|| svc.EFSRecover.locale account, and you log on locally as that account. Once

|| logged in, remove the encryption from the file

|| Brian

 

| The notebook was taken away by the central IT group.

 

| We'll see what happens.

 

 

Failed ! :-(

 

Ticket has been opened with Microsoft.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp