Implementing EFS in a Windows Server 2003 Domain

by Deb Shinder
Sept. 1, 2017 1 comment TechGenix Apps & Hardening windows server security

In order to encrypt files and folders with EFS, a user must have a valid X.509 certificate. When a user attempts to encrypt data, EFS looks in the user’s personal certificate store for an EFS certificate. If it doesn’t find one, it attempts to enroll you for an EFS certificate with a Windows certification authority. If you’re not using a domain account or if it is unable to request a certificate through a CA, EFS generates a self-signed certificate. However, there are problems inherent in using self-signed certificates: Unlike a certificate issued by a trusted third party (CA), a self-signed certificate signifies only self-trust. It’s sort of like relying on an ID card created by its bearer, rather than a government-issued card. Since encrypted files aren’t shared with anyone else, this isn’t really as much of a problem as it might at first appear, but it’s not the only problem. If the self-signed certificate’s key becomes corrupted or gets deleted, the files that have bee...

Irina Alexandra Negrii 3 months ago

Because of the danger of data loss in the wake of a lost or corrupted key, you should ensure that all users export their private keys and maintain a copy offline