Guest David H. Lipman Posted July 10, 2008 Posted July 10, 2008 We are on an Active Directory Domain. Recently, through Group Policy enforcement, EFS has been pushed to our users on notebooks. Generally speaking things have gone well. However one of my users has run into a negative consequence. One of my users complained that he could no longer access one of his MS Outlook Archive folders. Examination found the 1.38GB to exist and Outlook was properly pointing to it. At first it was thought that it was damaged so I ran the InBox Repair Tool. It indicated the PST was Read-Only. When I examined the PST it did not have the Read-Only attribute but it was encrypted. Under the end-user's account I tried to decrypt the file but I got "Access Denied". All other PST files in the same folder (and all other data files for that matter) were encrypted but the end-user had no problems opening any of them EXCEPT this one 1.38GB PST file. [ a high crucial file! ] Further examination showed a Domain service account attached to the file as "svc.EFSRecovery.locale" (name obfuscated). I contacted the central organization responsible for the Domain and they sent someone out to look at the end-user's PC and that person spent 3 hours with no progress. What went wrong with this one file ? Can it be recovered ? Can it be decrypted/re-encrypted using the user's account based certificate ? -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Dobromir Todorov Posted July 10, 2008 Posted July 10, 2008 Re: When EFS goes bad What exectly did you configure in your Group Policy? Did you remove any user certificates and associated private keys from that user's computer? -- --- HTH, Dobromir Learn more about Security and Identity Management: Visit http://www.iamechanics.com "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:O5%23b7Mt4IHA.4392@TK2MSFTNGP03.phx.gbl... > We are on an Active Directory Domain. > > Recently, through Group Policy enforcement, EFS has been pushed to our > users on notebooks. > > Generally speaking things have gone well. However one of my users has run > into a negative > consequence. > > One of my users complained that he could no longer access one of his MS > Outlook Archive > folders. > > Examination found the 1.38GB to exist and Outlook was properly pointing to > it. At first > it was thought that it was damaged so I ran the InBox Repair Tool. It > indicated the PST > was Read-Only. When I examined the PST it did not have the Read-Only > attribute but it was > encrypted. Under the end-user's account I tried to decrypt the file but I > got "Access > Denied". All other PST files in the same folder (and all other data files > for that > matter) were encrypted but the end-user had no problems opening any of > them EXCEPT this > one 1.38GB PST file. [ a high crucial file! ] > > Further examination showed a Domain service account attached to the file > as > "svc.EFSRecovery.locale" (name obfuscated). I contacted the central > organization > responsible for the Domain and they sent someone out to look at the > end-user's PC and that > person spent 3 hours with no progress. > > What went wrong with this one file ? > Can it be recovered ? > Can it be decrypted/re-encrypted using the user's account based > certificate ? > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > >
Guest David H. Lipman Posted July 10, 2008 Posted July 10, 2008 Re: When EFS goes bad From: "Dobromir Todorov" <dtodorov@msn.com> | What exectly did you configure in your Group Policy? | Did you remove any user certificates and associated private keys from that | user's computer? I no longer control the OU of our Domain. This is now done by a centralized organization. Due to privacy issues, I can not elaborate. We all use Smart Cards and all three Certs for his Smart Card were in his personal Certificate Store. All current, none expired or revoked. He still had his Domain Account cert in his store set to expire on 6/27/2108. All other encrypted files can be decrypted w/o any problems. It is only this ONE PST that he gets "access denied" on. :-( -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Dobromir Todorov Posted July 11, 2008 Posted July 11, 2008 Re: When EFS goes bad Well, don't think anyone can help much without the details. The important thing is that the File Encryption Key (FEK) used to actually encrypt the PST file is encrypted in the user's and the Data Recovery Agent's (DRA) public keys and is attached as metadata to the file. If the user has ALL the private keys and associated certificates/public keys availalable, EFS will use them all to try and decrypt the FEK, and access the content of the file. If the private/public(certificate) key pair that was used to originally encrypt the FEK is missing, the user will fail to open the file. Make sure that the orginial set of certificates and associated keys is there. Also, it may turn out that this user was say a local computer admin and was able to open the file as a Data Recovery Agent (DRA), rather than as a user. When you applied the policy, you may have set a new DRA for this file, and the old one is now lost - hence the reason why he's not able to access the file anymore. -- --- HTH, Dobromir Learn more about Security and Identity Management: Visit http://www.iamechanics.com "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:utuq2tt4IHA.4856@TK2MSFTNGP02.phx.gbl... > From: "Dobromir Todorov" <dtodorov@msn.com> > > | What exectly did you configure in your Group Policy? > > | Did you remove any user certificates and associated private keys from > that > | user's computer? > > I no longer control the OU of our Domain. This is now done by a > centralized organization. > Due to privacy issues, I can not elaborate. > > We all use Smart Cards and all three Certs for his Smart Card were in his > personal > Certificate Store. All current, none expired or revoked. He still had > his Domain Account > cert in his store set to expire on 6/27/2108. > > All other encrypted files can be decrypted w/o any problems. It is only > this ONE PST that > he gets "access denied" on. :-( > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > >
Guest Adam Stasiniewicz Posted July 11, 2008 Posted July 11, 2008 Re: When EFS goes bad When you looked the properties of the file, from the General tab select Advanced then Details. You will see all the certificates which can decrypt the file. If you see a certificate in the top window that is not belonging to the user, check with the maintainer of your CA if they key archival enabled. If they do, have them provide you with the key pair for the certificate so that you can decrypted the file. Otherwise, check the bottom window. If there is a cert listed there (i.e. the DRA), ask your CA maintainer to provide that certificate. Either way, once you get the needed cert: import the cert (with private key) into the local user store of a computer and copy the PST to a local drive. Then you should be able to decrypt the file. Hope that helps, Adam Stasiniewicz "Dobromir Todorov" <dtodorov@msn.com> wrote in message news:uvzp%23Dz4IHA.4696@TK2MSFTNGP02.phx.gbl... > Well, don't think anyone can help much without the details. The important > thing is that the File Encryption Key (FEK) used to actually encrypt the > PST file is encrypted in the user's and the Data Recovery Agent's (DRA) > public keys and is attached as metadata to the file. If the user has ALL > the private keys and associated certificates/public keys availalable, EFS > will use them all to try and decrypt the FEK, and access the content of > the file. If the private/public(certificate) key pair that was used to > originally encrypt the FEK is missing, the user will fail to open the > file. Make sure that the orginial set of certificates and associated keys > is there. > > Also, it may turn out that this user was say a local computer admin and > was able to open the file as a Data Recovery Agent (DRA), rather than as a > user. When you applied the policy, you may have set a new DRA for this > file, and the old one is now lost - hence the reason why he's not able to > access the file anymore. > > -- > --- > HTH, > Dobromir > > Learn more about Security and Identity Management: > Visit http://www.iamechanics.com > > "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message > news:utuq2tt4IHA.4856@TK2MSFTNGP02.phx.gbl... >> From: "Dobromir Todorov" <dtodorov@msn.com> >> >> | What exectly did you configure in your Group Policy? >> >> | Did you remove any user certificates and associated private keys from >> that >> | user's computer? >> >> I no longer control the OU of our Domain. This is now done by a >> centralized organization. >> Due to privacy issues, I can not elaborate. >> >> We all use Smart Cards and all three Certs for his Smart Card were in his >> personal >> Certificate Store. All current, none expired or revoked. He still had >> his Domain Account >> cert in his store set to expire on 6/27/2108. >> >> All other encrypted files can be decrypted w/o any problems. It is only >> this ONE PST that >> he gets "access denied" on. :-( >> >> -- >> Dave >> http://www.claymania.com/removal-trojan-adware.html >> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp >> >> > >
Guest David H. Lipman Posted July 11, 2008 Posted July 11, 2008 Re: When EFS goes bad From: "Adam Stasiniewicz" <nospam@nospam> | When you looked the properties of the file, from the General tab select | Advanced then Details. You will see all the certificates which can decrypt | the file. If you see a certificate in the top window that is not belonging | to the user, check with the maintainer of your CA if they key archival | enabled. If they do, have them provide you with the key pair for the | certificate so that you can decrypted the file. Otherwise, check the bottom | window. If there is a cert listed there (i.e. the DRA), ask your CA | maintainer to provide that certificate. | Either way, once you get the needed cert: import the cert (with private key) | into the local user store of a computer and copy the PST to a local drive. | Then you should be able to decrypt the file. | Hope that helps, | Adam Stasiniewicz Thanx. The "certificate in the top window" did belong to the end-user. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Dobromir Todorov Posted July 11, 2008 Posted July 11, 2008 Re: When EFS goes bad ....and there was a private key in the user's profile that corresponded to that certificate? -- --- HTH, Dobromir Learn more about Security and Identity Management: Visit http://www.iamechanics.com "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:OV$%23CO54IHA.3480@TK2MSFTNGP03.phx.gbl... > From: "Adam Stasiniewicz" <nospam@nospam> > > | When you looked the properties of the file, from the General tab select > | Advanced then Details. You will see all the certificates which can > decrypt > | the file. If you see a certificate in the top window that is not > belonging > | to the user, check with the maintainer of your CA if they key archival > | enabled. If they do, have them provide you with the key pair for the > | certificate so that you can decrypted the file. Otherwise, check the > bottom > | window. If there is a cert listed there (i.e. the DRA), ask your CA > | maintainer to provide that certificate. > > | Either way, once you get the needed cert: import the cert (with private > key) > | into the local user store of a computer and copy the PST to a local > drive. > | Then you should be able to decrypt the file. > > | Hope that helps, > | Adam Stasiniewicz > > Thanx. > > The "certificate in the top window" did belong to the end-user. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > >
Guest David H. Lipman Posted July 11, 2008 Posted July 11, 2008 Re: When EFS goes bad From: "Dobromir Todorov" <dtodorov@msn.com> | ...and there was a private key in the user's profile that corresponded to | that certificate? | -- | --- | HTH, | Dobromir Yes. As I stated previously... "We all use Smart Cards and all three Certs for his Smart Card were in his personal Certificate Store. All current, none expired or revoked. He still had his Domain Account cert in his store set to expire on 6/27/2108." There were four certificates in his personal cert. store. Three for his Smart Card and one matching the "certificate in the top window" also noted previously in this thread. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Brian Komar \(MVP\) Posted July 13, 2008 Posted July 13, 2008 Re: When EFS goes bad Actually, that was not clear. If you have the "correct" certificate, and in the properties of the certificate it states that you have the private key associated with the certificate the file should open. Here are my questions: 1) Is the svc.EFSRecovery.locale account listed as the user account able to access the file? 2) Was a proper attempt performed to recover the file with a EFS Recovery agent listed as the DRA for the file? I mean by this that an adminstrator logged on to the system, imported the recovery certificate from the archived PFX file, and then attempted the decryption. 3) No mention of OS in the thread. What OS is the client running? 4) If the client is running XP, then the EFS cert and the EFS REcovery agent certificate *must* be in software. XP/2003 do not support the use of EFS or EFS recovery agent certificates on smart cards. 5) Have you established a custom EFS certificate that archives the private key in the CA database. 6) Did you prevent the use of self-signed certificates at clients. You can accomplish this at XP/2003 with 912761 - Encrypting File System (EFS) generates a self-signed certificate when you try to encrypt an EFS file on a Windows XP-based computer. For Vista, this is accomplished through GPO. HTH, Brian "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:O$GHuA64IHA.1204@TK2MSFTNGP04.phx.gbl... > From: "Dobromir Todorov" <dtodorov@msn.com> > > | ...and there was a private key in the user's profile that corresponded > to > | that certificate? > > | -- > | --- > | HTH, > | Dobromir > > > Yes. As I stated previously... > > "We all use Smart Cards and all three Certs for his Smart Card were in his > personal > Certificate Store. All current, none expired or revoked. He still had > his Domain Account > cert in his store set to expire on 6/27/2108." > > There were four certificates in his personal cert. store. > > Three for his Smart Card and one matching the "certificate in the top > window" also noted > previously in this thread. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > >
Guest David H. Lipman Posted July 13, 2008 Posted July 13, 2008 Re: When EFS goes bad From: "Brian Komar (MVP)" <brian.komar@nospam.identit.ca> | Actually, that was not clear. My apologies :-( | If you have the "correct" certificate, and in the properties of the | certificate it states that you have the private key associated with the | certificate the file should open. Here are my questions: | 1) Is the svc.EFSRecovery.locale account listed as the user account able to | access the file? Yes. | 2) Was a proper attempt performed to recover the file with a EFS Recovery | agent | listed as the DRA for the file? I mean by this that an adminstrator | logged on to the | system, imported the recovery certificate from the archived | PFX file, and then | attempted the decryption. My userstanding is that was attempted. | 3) No mention of OS in the thread. What OS is the client | running? WinXP >= SP2 | 4) If the client is running XP, then the EFS cert and the EFS REcovery agent | certificate *must* be in software. XP/2003 do not support the use of EFS or | EFS recovery agent certificates on smart cards. Right. Got it. | 5) Have you established a custom EFS certificate that archives the private | key in the CA database. I have NO control over this and I don't know. | 6) Did you prevent the use of self-signed certificates at clients. You can | accomplish | this at XP/2003 with 912761 - Encrypting File System (EFS) | generates a self-signed | certificate when you try to encrypt an EFS file on a | Windows XP-based computer. For | Vista, this is accomplished through GPO. We do not use Self Signed certs. as this was pushed through GPO and EFSAssistant. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Brian Komar \(MVP\) Posted July 13, 2008 Posted July 13, 2008 Re: When EFS goes bad So based on your answers, the certificates on the smart card and are not used as the OS does not support smart card based EFS. The recovery may be possible if a password is available for the svc.EFSRecover.locale account, and you log on locally as that account. Once logged in, remove the encryption from the file Brian "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:uyEAPHR5IHA.3768@TK2MSFTNGP02.phx.gbl... > From: "Brian Komar (MVP)" <brian.komar@nospam.identit.ca> > > | Actually, that was not clear. > > > My apologies :-( > > > | If you have the "correct" certificate, and in the properties of the > | certificate it states that you have the private key associated with the > | certificate the file should open. Here are my questions: > > | 1) Is the svc.EFSRecovery.locale account listed as the user account able > to > | access the file? > > Yes. > > > | 2) Was a proper attempt performed to recover the file with a EFS > Recovery > | agent > | listed as the DRA for the file? I mean by this that an adminstrator > | logged on to the > | system, imported the recovery certificate from the archived > | PFX file, and then > | attempted the decryption. > > > My userstanding is that was attempted. > > > | 3) No mention of OS in the thread. What OS is the client > | running? > > WinXP >= SP2 > > > | 4) If the client is running XP, then the EFS cert and the EFS REcovery > agent > | certificate *must* be in software. XP/2003 do not support the use of EFS > or > | EFS recovery agent certificates on smart cards. > > > Right. Got it. > > > | 5) Have you established a custom EFS certificate that archives the > private > | key in the CA database. > > > I have NO control over this and I don't know. > > > > | 6) Did you prevent the use of self-signed certificates at clients. You > can > | accomplish > | this at XP/2003 with 912761 - Encrypting File System (EFS) > | generates a self-signed > | certificate when you try to encrypt an EFS file on a > | Windows XP-based computer. For > | Vista, this is accomplished through GPO. > > > We do not use Self Signed certs. as this was pushed through GPO and > EFSAssistant. > > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > >
Guest David H. Lipman Posted July 14, 2008 Posted July 14, 2008 Re: When EFS goes bad From: "Brian Komar (MVP)" <brian.komar@nospam.identit.ca> | So based on your answers, the certificates on the smart card and are not | used as the OS does not support smart card based EFS. | The recovery may be possible if a password is available for the | svc.EFSRecover.locale account, and you log on locally as that account. Once | logged in, remove the encryption from the file | Brian The notebook was taken away by the central IT group. We'll see what happens. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest David H. Lipman Posted July 15, 2008 Posted July 15, 2008 Re: When EFS goes bad From: "David H. Lipman" <DLipman~nospam~@Verizon.Net> | From: "Brian Komar (MVP)" <brian.komar@nospam.identit.ca> || So based on your answers, the certificates on the smart card and are not || used as the OS does not support smart card based EFS. || The recovery may be possible if a password is available for the || svc.EFSRecover.locale account, and you log on locally as that account. Once || logged in, remove the encryption from the file || Brian | The notebook was taken away by the central IT group. | We'll see what happens. Failed ! :-( Ticket has been opened with Microsoft. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Recommended Posts