Naturally, you assume that when you use EFS to encrypt files on your Windows 2000 server, they’re safe. However, what do you do when you need to back up and recover encrypted files? More importantly, what do you do when an employee leaves your company but encrypts vital company data before heading out the door? In this Daily Feature, I will take you through some important backup and recovery operations for encrypted files.

Using the Windows 2000 Backup applet
The Windows 2000 Backup applet can back up encrypted data even if the backup operator or account (in the case of a scheduled backup) doesn’t have a certificate in place to view the encrypted data. This behavior is essentially the same as Backup’s ability to back up files and folders for which the backup operator/account doesn’t have sufficient permissions to view the data. In the case of encrypted files, Backup can back up the data to tape or backup file and the files remain encrypted. If someone steals a tape and succeeds in restoring the tape, Backup will not restore the encrypted data. Instead, Backup will create empty files.

In some situations, you might need to recover encrypted files. For example, a user might leave the company and delete his certificates or even reformat his hard drive before he leaves with the only copy of the data in a backup set. Or, a user might accidentally lose his EFS certificates, either by meddling in the Certificates console or through a system drive failure. If you can’t restore the certificate to the user’s computer, you can take another approach.

Start by backing up the encrypted files to a backup file set, either on a network volume or a floppy if the data is small enough to fit. Install the certificate to the computer where you will be restoring the files. This can be your own computer even if you need to ultimately restore the files to a different computer, because you’re going to decrypt the files as part of the recovery process. You can simply copy them to an encrypted folder on the target computer to reapply encryption.

Next, restore the files from the backup set to an NTFS volume on the recovery computer. After the files are restored, reset the encryption attribute to decrypt the files, and then copy them to the target computer to encrypt them again (if needed).

Working with recovery policies
EFS requires that a recovery agent be designated before Windows 2000 allows encryption to proceed. On stand-alone computers or computers in a workgroup, Windows 2000 automatically designates the local administrator as the recovery agent and places the appropriate recovery key in the administrator’s personal certificate store on the computer. In a domain, Windows 2000 designates the Domain Administrator account as the default recovery agent for the domain. Whether you continue to use these default recovery agents or you reassign that responsibility depends on your security needs, domain structure, and other considerations.

If you have stand-alone or workgroup computers, you should secure the default recovery key to prevent unauthorized persons from using it to gain access to encrypted data. On each computer, log on as administrator, open the Certificates console, and then export the EFS certificate to a file. Put the certificate file in a safe place, such as on a secure network server or on a floppy disk in a locked cabinet, and then delete the certificate from the computer.

You might also want to secure the recovery certificate in a domain environment. Perhaps you want to assign EFS recovery to a specific administrator or group of users rather than give that responsibility to the domain administrator. To secure the domain recovery certificate, log on as administrator in the first domain controller in the domain. Export the recovery certificate from the Certificates console and then delete the certificate from the domain administrator’s certificate store.

When you delegate EFS recovery in a domain and remove the recovery certificate from the domain administrator’s certificate store, you can either install the exported recovery certificate in the certificate stores of those users who are designated as recovery agents or use a Certificate Authority (CA) to generate recovery certificates as needed. Either method works well, but using a CA provides unique recovery certificates for each recovery agent, adding security and redundancy.

To allow recovery agents to request recovery certificates as needed, start by creating a group called Domain Recovery Agents in the domain and then add the recovery agents’ accounts to the group. Configure policies on the CA to allow members of the Domain Recovery Agents group to request recovery certificates. Next, each recovery agent should request a recovery certificate through the Certificates console. After the agent receives the certificate, it must be published in Active Directory or exported to a CER file and placed in a secure network share so it can be added to the domain recovery policy.

Once the agents have their certificates and corresponding CER files, you can set up the domain recovery policy. You accomplish this by adding each agent and certificate to the default domain policy. You can also set the recovery policy at the OU level, but the following assumes you want to define recovery agents at the domain level. The process is the same, except you add the recovery agents at the OU level rather than the domain level.

Place the certificates in the Security Settings\Public Key Policies\Encrypted Data Recovery Agents container to implicitly define the domain recovery policy and to allow those users to perform recovery operations in the domain. To add the certificates, log on to a domain controller and open the domain security policy through the Administrative Tools folder. Right-click the Public Key Policies\Encrypted Data Recovery Agents container and click Add to start the Add Recovery Agent wizard. Through the wizard, locate the agents’ certificates in Active Directory if published there or on the network share mentioned previously), select them, and follow the wizard prompts to add the certificates. Repeat the process as needed to add other agents.

After you have successfully added the recovery agents to the domain security policy, each agent should export his certificate to a secure PFX file, store the file in a secure location, and remove the certificate from the local computer. This ensures that the certificate is applied through the domain policy rather than through local policy.

Finally, don’t take for granted that all of your EFS configuration efforts have been successful. Run through a recovery to verify that the appropriate people can successfully recover encrypted files when needed.