In this scenario John Smith is an employee who uses his domain credentials to have direct access to Example-Server01 which many employees use to store their confidential customer’s data. John uses the folder C:\Example_Customer1 to store his exclusive customer’s data and he uses EFS to encrypt the content of this folder.
After a few months John has been asked to leave the company with immediate effect due to integrity issues and therefore the IT security administrator needs to recover the files he stored in C:\Example_Customer1.
In this exercise you will learn how to encrypt and decrypt files and folders using cipher.exe command-line utility on a Windows Server 2012 R2:
- Log on to Example-Server01 and create a new folder named Confidential_Docs in partition C.
- Double click and open Confidential_Docs and create a text document in it and name it Daily_Doc.txt.
- Double click Daily_Doc.txt and type something in it. Click File and then Save and then close the Notepad text editor.
- Open the Start screen and type cmd.exe and press Enter to open Windows command line.
- Type the following command and press Enter to encrypt the Confidential_Docs folder and all the content inside:
- Cipher.exe /E /S:C:\Confidential_Docs
- To decrypt the same folder, you will need to use the following command:
- Cipher.exe /D /S:C:\Confidential_Docs
You can disable EFS for a folder, a computer or even the entire domain. In order to disable EFS for a folder create a file called Desktop.ini that contains:
All you need to do is to save this file in the folder in which you want EFS to be disabled. When the user wants to encrypt the folder or the files in the folder, this will show him/her a message that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”
Please note that only the current folder with all the files in it are affected by the Desktop.ini file. If you create a subfolder, both the subfolder and any files in it can be encrypted. Also, encrypted files can be copied or moved, without losing their encryption, into the directory that contains the Desktop.ini file.
Disabling EFS for a Stand-Alone Computer
If you want to disable EFS for the entire computer, you need to add an entry to the computer Registry:
- In the Run dialog box, type regedit.exe.
- Navigate to the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\EFS.
- On the Edit menu, point to New, and then click DWORD Value.
- Enter EfsConfiguration for the value name and 1 for the value data to disable EFS. (A value of 0 enables EFS.)
- Restart the computer.
- If EFS is disabled and a user tries to encrypt a file or folder, a message tells the user that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”
Important Points about Group Managed Service Accounts
Group Managed Service accounts are perfect identity solutions for services running on multiple hosts and using group them password management requires no administration overhead as password management is handled automatically using Windows Server 2012/2012 R2 across multiple hosts. It also supports offline hosts which are not connected to network for a period of time, and when they go back online, the password is synchronized on the service running on them and the service can start successfully. It is also important to take note that failover clusters currently do not support gMSAs but the services running on top of clusters can support them if they are a Windows service, an App pool, a scheduled task or they natively support gMSA.
Please also take note that you can only configure and administer group managed service accounts on Windows Server 2012/2012 R2 but you can still have other domain controllers running earlier versions of Windows Server operating system. There are very important points to take into consideration when configuring managed service accounts:
- Managed service accounts can work across domain boundaries as long as the required domain trusts exist.
- A managed service account can be placed in a security group.
- Managed service accounts can be stored anywhere in Active Directory, nevertheless there is also a specific container for them.
- Passwords are automatically created for managed service accounts and are refreshed every 30 days. You can change a password manually.