William Stanek - Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

To access encrypted files after the user account has been deleted, you need to use a recovery agent. Recovery agents have access to the file encryption key that’s necessary to unlock data in encrypted files. However, to protect sensitive data, recovery agents don’t have access to a user’s private key or any private key information.

Recovery agents are designated automatically, and the necessary recovery certificates are generated automatically as well to ensure that encrypted files can always be recovered.

EFS recovery agents are configured at two levels:

■ DomainThe recovery agent for a domain is configured automatically when the first Windows Server 2012 R2 domain controller is installed. By default, the recovery agent is the domain administrator. Through Group Policy, domain administrators can designate additional recovery agents. Domain administrators can also delegate recovery agent privileges to designated security administrators.

■ Local computerWhen a computer is part of a workgroup or in a standalone configuration, the recovery agent is the administrator of the local computer by default. You can designate additional recovery agents. Further, if you want local recovery agents in a domain environment rather than domain-level recovery agents, you must delete the recovery policy from the Group Policy for the domain.

You can delete recovery policies if you don’t want them to be available. However, deleting recovery policies is not recommended because there can be severe unintentional consequences.

Recovery policies are configured automatically for domain controllers and workstations. By default, domain administrators are the designated recovery agents for domains, and the local administrator is the designated recovery agent for a standalone workstation.

Through Group Policy, you can view, assign, and delete recovery agents by following these steps:

1.Access the Group Policy console for the local computer, site, domain, or organizational unit with which you want to work. For details on working with Group Policy, see Chapter 6, “Managing users and computers with Group Policy.”

2.Expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies, and then tap or click Encrypting File System to access the configured Recovery Agents in Group Policy.

3.The pane at the right lists the recovery certificates currently assigned. Recovery certificates are listed according to who they are issued to, who issued them, their expiration date and purpose, and more.

4.To designate an additional recovery agent, press and hold or right-click Encrypting File System, and then tap or click Add Data Recovery Agent. This starts the Add Recovery Agent Wizard, which you can use to select a previously generated certificate that has been assigned to a user and mark it as a designated recovery certificate. Tap or click Next. On the Select Recovery Agents page, tap or click Browse Directory, and in the Find Users, Contacts, And Groups dialog box, select the user you want to work with. Tap or click OK, and then tap or click Next. Tap or click Finish to add the recovery agent.

5.To delete a recovery agent, select the recovery agent’s certificate in the right pane, and then press Delete. When prompted to confirm the action, tap or click Yes to permanently and irrevocably delete the certificate. If the recovery policy is empty (meaning it has no other designated recovery agents), EFS is turned off so that users can no longer encrypt files.

NOTE Before you can designate additional recovery agents, you should set up a root certificate authority (CA) in the domain. Afterward, you must use the Certificates snap-in to generate a personal certificate that uses the EFS Recovery Agent template. The root CA must then approve the certificate request so that the certificate can be used. You can also use Cipher.exe to generate the eFS recovery agent key and certificate.

You can back up and restore encrypted data like you can any other data. The key thing to remember is that you must use backup software that understands EFS, such as the built-in backup and restore tools. You must be careful when using this type of software, however.

The backup or restore process doesn’t necessarily back up or restore the certificate needed to work with the encrypted data. The user’s profile data contains that certificate. If the user’s account exists and the profile still contains the necessary certificate, the user can still work with the encrypted data.

If the user’s account exists and you previously backed up the user’s profile and then restored the profile to recover a deleted certificate, the user can still work with the encrypted data. Otherwise, there’s no way to work with the data, and you need to have a designated recovery agent access the files, and then remove the encryption.

Being able to back up and restore certificates is an important part of any disasterrecovery* plan. The next sections examine the techniques you can use to perform these tasks.

You use the Certificates snap-in to back up and restore personal certificates. Personal certificates are saved with the Personal Information Exchange (.pfx) format.

To back up personal certificates, follow these steps:

1.Log on as the user to the computer where the personal certificate you want to work with is stored. Tap or click Start, enter mmcin the Search box, and then press Enter. This opens the Microsoft Management Console (MMC).

2.In the MMC, select File, and then select Add/Remove Snap-In. This opens the Add Or Remove Snap-Ins dialog box.

3.In the Available Snap-Ins list, select Certificates, and then tap or click Add. Select My User Account, and then tap or click Finish. This adds the Certificates snap-in to the Selected Snap-Ins list. The focus for the snap-in is set to the currently logged-on user account.

4.Tap or click OK to close the Add Or Remove Snap-Ins dialog box.

5.Expand Certificates-Current User, expand Personal, and then select Certificates. Press and hold or right-click the certificate you want to save, tap or click All Tasks, and then tap or click Export. This starts the Certificate Export Wizard. Tap or click Next.

6.Select Yes, Export The Private Key. Tap or click Next twice.

7.On the security page, use the options provided to specify security principals that should have access to the certificate. The default security principal is the Administrator account. Afterward, enter and confirm a password for opening the certificate. Tap or click Next.

8.Tap or click Browse. Use the dialog box provided to specify a file location for the certificate file, and then tap or click Save. Be sure that this location is secure, because you don’t want to compromise system security. The file is saved with the.pfx extension.

9.Tap or click Next, and then tap or click Finish. If the export process is successful, you’ll get a message box confirming this. Tap or click OK to close the message box.

When you have a backup of a certificate, you can restore the certificate to any computer on the network-not just the original computer. The backup and restore process is, in fact, how you move certificates from one computer to another.