Tech Tip: Back up EFS/Limit DNS zone transfers

Windows 2000 Professional: Back up EFS

The Encrypting File System (EFS) enables users to securely encrypt files—a nearly effortless process because Windows 2000 automatically creates the keys needed to encrypt and decrypt the data. But if the user somehow deletes his or her EFS private key, the encrypted data could be inaccessible. However, Windows 2000 also creates a recovery agent key that can decrypt the data.

Windows 2000 encrypts files with the recovery agent's public EFS key, as well as the user's EFS key. This means you can use the recovery agent's key to decrypt the files if the user's key is lost.

By default, the local administrator account is the default recovery agent for computers in a workgroup. The domain administrator is the default recovery agent for computers in a domain.

To protect against inaccessible data if there's a problem with the user keys, you should back up the recovery agent key on any systems that use EFS. To export the key on a workgroup computer, follow these steps:

  1. Log on to the local computer using the local administrator account, and run Secpol.msc.
  2. Expand the Public Key Policies\Encrypted Data Recovery Agents branch.
  3. In the right pane, right-click the certificate, and choose All Tasks | Export.
  4. Choose Next when the wizard starts.
  5. Choose Yes (Export The Private Key), and click Next.
  6. Follow the remainder of the wizard using the default values, and specify a file to contain the key.
  7. When the wizard finishes, copy the newly created file to a safe network share, or copy it to a disk and secure the disk in a safe location.

In the wizard, if you choose the option to remove the private key from the computer after the export is complete, you must restart the workstation or domain controller for the removal to be completed.

If you need to back up the recovery agent key for a domain, run Dompol.msc on the first domain controller in the domain. Use the same procedure as above to export the key to a file.

Windows 2000 Server: Limit DNS zone transfers

Primary and secondary DNS servers exchange data by performing zone transfers during which they transfer all data about the zone from the primary to the secondary server. While zone transfer allows you to have several DNS servers holding the same information, it can pose a certain threat to your network if not used wisely.

Because zone transfer transmits all information about a certain DNS zone, it could also help an intruder get to know your network better. Tools such as Nslookup allow you to easily perform zone transfers with DNS servers.

If you don't want to allow zone transfers to everyone, you can specify a list of servers that you'll allow to perform zone transfers with your DNS server. Follow these steps:

  1. Open the DNS console on your DNS server, and expand the server and zone for which you want to disable zone transfers.
  2. Right-click it, and select Properties.
  3. On the Zone Transfers tab, you can either limit the zone transfers to the DNS servers on your network and let DNS manage them, or you can manually specify the IP address of the computers allowed to perform zone transfers.
  4. Click OK.

Editor's Picks

Free Newsletters, In your Inbox