Step-by-Step Guide to EFS Recovery

In this scenario John Smith is an employee who uses his domain credentials to have direct access to Example-Server01 which many employees use to store their confidential customer’s data. John uses the folder C:\Example_Customer1 to store his exclusive customer’s data and he uses EFS to encrypt the content of this folder.

After a few months John has been asked to leave the company with immediate effect due to integrity issues and therefore the IT security administrator needs to recover the files he stored in C:\Example_Customer1.

Task 1: Add Certificate Authority role to Example-DC01

  1. Log on to Example-DC01 (Domain Controller)
  2. Open the Start screen and click Server Manager.
  3. Click on Manage and then select Add Roles and Features.
  4. On the Before You Begin page select Next.
  5. On the Installation Type page select Role-based or feature-based installation.
  6. On the Server Selection page make sure Example-DC01.Example.com is selected.
  7. On the Select Server Roles page select Active Directory Certificate Services and then click Next.
  8. On the Select Features page, click Next.
  9. On the Introduction to Active Directory Certificate Services page, click Next.
  10. On the Select Role Services page, ensure that Certificate Authority is selected, and then click Next.
  11. On the Confirmation page, click Install.
  12. On the Results page, click Close.
  13. Go back to Server Manager and on the left pane click AD CS to see a yellow message line in the middle stating Configuration required for Active Directory Certificate Services at Example-DC01 and then click on More at the end of the message line.
  14. On the All Servers Task Details window, click Post Deployment Configuration task in the list and click Configure Active Directory Certificate Services.
  15. On the Credentials page make sure EXAMPLE\Administrator has been specified in the Credentials textbox and click Next.
  16. On the Role Services page, select Certificate Authority and click Next.
  17. On the Select Type page, select Enterprise CA and click Next.
  18. On the CA Type page, select Root CA and click Next.
  19. On the Private Key page, select Create a private key and click Next.
  20. On the Cryptography for CA page, click Next.
  21. On the CA Name page, leave everything as default and click Next.
  22. On the Validity Period page, specify the validity period to be 5 years and click Next.
  23. On the Certificate Database, leave the database location and log file location as default and click Next.
  24. On the Confirmation page, click Configure.
  25. On the Results page, click Close.

Task 2: Create and export EFS data recovery agent

  1. Log on to Example-DC01.
  2. Open the Start screen and type Certification Authority and press Enter.
  3. In case you need to create a new EFS Recovery Agent template:
  4. On the Certification Authority console, right click Certificate Template and click Manage.
  5. On the Certificate Templates Console, right click EFS Recovery Agent from the list of templates and click Duplicate Template.
  6. On the Properties of New Template window, click General tab.
  7. Change the Template display name and Template name to EFS Recovery Agent 2 and select Publish certificate in Active Directory and click OK.
  8. Close the Certificate Templates Console and also the Certification Authority window.
  9. Open the Start Screen and type Group Policy Management and press Enter.
  10. On the Group Policy Management window, expand the following nodes Forest: Example.com > Domains > Example.com > Group Policy Objects and right click Default Domain Policy and click Edit.
  11. On the Group Policy Management Editor window, expand the following nodes Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. In case you need to create a new Data Recovery Agent certificate other than the one available and export it, you will need to right click Encrypting File System and click Create Data Recovery Agent to create a new EFS recovery certificate.
  12. You will find an existing Data Recovery Agent certificate here for the Example.com\Administrator username. Right click the certificate and click All Tasks > Export.
  13. On the Certificate Export Wizard, click Next.
  14. On the Export Private Key page, select Yes, export the private key and click Next.
  15. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX) and select Include all certificates in the certification path if possible and also Export all extended properties and click Next.
  16. On the Security page, select Password and in the Password textbox type in P@ssw0rdEFS and then confirm it by typing it again and click Next.
  17. On the File to Export page, click Browse to open the Save As dialog box and type in DRA as the file name and click Save to choose the Desktop as the save location and close the dialog box. Click Next.
  18. On the Completing the Certificate Export Wizard page, click Finish.
  19. Close the Group Policy Management Editor and also the Group Policy Management windows.

Task 3: Perform an EFS recovery procedure of John’s encrypted Example_Customer1 folder 

  1. Log on to Example-Server01.
  2. Create a new folder named Example_Customer1 in partition C.
  3. Double click and open Example_Customer1 and create a text document in it and name it Customer_Doc.txt.
  4. Double click Customer_Doc.txt and type in “This is a sample document”. Click File and then Save and then close the Notepad text editor.
  5. Open the Start screen and type cmd.exe and press Enter to open Windows command line.
  6. Type the following command and press Enter to encrypt the Example_Customer1 folder and all the content inside:
  7. Cipher.exe /E /S:C:\Example_Customer1
  8. Log out of Example-Server01 and log in to it this time as Example.com\administrator.
  9. Open the Start screen and type \\Example-DC01.Example.com\C$\Users\Administrator\Desktop and click Next.
  10. Copy the DRA.pfx file from the desktop of Example-DC01 to the desktop of Example-Server01 and double click it.
  11. On the Welcome to the Certificate Import Wizard page, select Current User and click Next.
  12. On the File to Import page, leave the file name as default and click Next.
  13. On the Private key protection page, type in P@ssw0rdEFS in the Password textbox.
  14. Select all the following and click Next:
    1. Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option.
    2. Mark this key as exportable. This will allow you to back up or transport your keys at a later time.
    3. Include all extended properties.
  15. On the Certificate Store page, select Automatically select the certificate store based on the type of certificate and click Next.
  16. On the Completing the Certificate Import Wizard page, click Finish.
  17. Open the folder C:\Example_Customer1 and open Customer_Doc.txt and you will be able to see the content of the file.

If you are interested in security and you want more of these detailed step-by-step guides, you could have a look at my recently published ebook by clicking on the book cover below:

Security_on_Windows_2012

Leave a Reply

Your email address will not be published. Required fields are marked *