Security

Keep the following considerations in mind when planning to deploy Windows 2000-based computers. You have the option to disable EFS and to designate alternate recovery agent accounts. You also need to protect recovery keys from misuse as well as to maintain archives of obsolete recovery agent certificates and private keys.

Disabling EFS for a Set of Computers    You can disable EFS for a domain, organizational unit, or stand-alone computer by applying an empty Encrypted Data Recovery Agents policy setting. Until Encrypted Data Recovery Agent settings are configured and applied through Group Policy, there is no policy, and the default recovery agents are used by EFS. However, EFS must use the recovery agents that are listed in the Encrypted Data Recovery Agents Group Policy after the settings have been configured and applied. If the policy that is applied is empty, EFS does not operate. For more information about configuring Encrypted Data Recovery Agents policy settings, see Windows 2000 Professional Help or Windows 2000 Server Help.

Designating Alternate Recovery Agents    You can configure Encrypted Data Recovery Agents policy to designate alternative recovery agents. For example, to distribute the administrative workload in your organization, you can designate alternative EFS recovery accounts for categories of computers grouped by organizational units. You might also configure Encrypted Data Recovery Agents settings for portable computers so that they use the same recovery agent certificates when they are connected to the domain and when they are operated as stand-alone computers. For more information about configuring Encrypted Data Recovery Agents policy settings, see Windows 2000 Professional Help or Windows 2000 Server Help.

Before you can designate alternate recovery agent accounts, you must deploy Windows 2000 Server and Certificate Services to issue recovery agent certificates. For more information about Certificate Services, see Windows 2000 Certificate Services and Public Key Infrastructure in the Microsoft Windows 2000 Server Resource Kit Distributed Systems Guide .

Securing Recovery Keys    Because recovery keys can be misused to decrypt and read files that have been encrypted by EFS users, it is recommended that you provide additional security for private keys for recovery. The first step in providing security for recovery keys is to disable default recovery accounts by exporting the recovery agent certificate and the private key to a secure medium and select the option to remove the private key from the computer. When the recovery certificate and key are exported, the key is removed from the computer. You then store the exported certificate and key in a secure location to be used later for file recovery operations. Securing private keys for recovery ensures that nobody can misuse the recover agent account to read encrypted files. This is especially important for mobile computers or other computers that are a high risk to fall into the wrong hands. For more information about how to export and secure private keys for recovery, see Windows 2000 Professional Help or Windows 2000 Server Help.

Maintaining Archives of Recovery Keys    For EFS encrypted files, the recovery agent information is refreshed every time the file system performs an operation on the file (for example, when the file is opened, moved, or copied). However, if an encrypted file is dormant for a long time, the recovery agents expire. To ensure that dormant encrypted files can be recovered, maintain archives of the recovery agent certificates and private keys. To create an archive, export the certificate and its private key to a secure medium and store it in a safe location. When you export private keys, you must provide a secret password for authorizing access to the exported key. The secret key is stored in an encrypted format to protect its confidentiality.

To recover dormant files with expired recovery agent information, import the appropriate expired recovery agent certificate and private key from the archive to a recovery account on a local computer and then perform the recovery. To view recovery agent information for an encrypted file, use the efsinfo tool. For more information about efsinfo , see Windows 2000 Tools Help.