Access Denied: Prevent Administrators from Overriding EFS

Get answers to your security-related Win2K questions

[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!]

I'm trying to set up Encrypting File System (EFS) to protect confidential data in user home directories. No one except the user should have access to this data—not even administrators. I logged on as a test user and encrypted a file. Then, I logged on as Administrator and could open the file. I thought EFS was user specific. Why can the Administrator override EFS, and how can I prevent this override?

By default, the Administrator is the data-recovery agent—a user who, in addition to the user who originally encrypted the file, can decrypt for data-recovery purposes (e.g., in the event of a deleted user account or a lost encryption key). EFS won't function unless you specify a data-recovery agent.

In Active Directory (AD) Group Policy Objects (GPOs), you can designate someone other than the domain administrator as the data-recovery agent for all the computers in an organizational unit (OU), but this designation is useful only for delegating the data-recovery task to someone else. To define a data-recovery agent (or agents) for all the computers in an OU of your domain, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the OU, select Properties, then click the Group Policy tab. Edit an existing GPO, or create a new one, then edit it. Maneuver to computer configurationwindows settingssecurity settingspublic key policiesencrypted data recovery agents. In the Encrypted Data Recovery Agents folder, you can create data-recovery certificates, but be aware that to request a certificate, you previously must have installed Certificate Services as an Enterprise Certificate Authority (CA) on a server within your domain.

Note that because Windows 2000 updates a file's data-recovery-agent information only when the file is first created and when the file is modified, changing the data-recovery agent will affect only newly encrypted files or files modified after the data-recovery-agent change. Only the previous data-recovery agent can recover encrypted files that existed before the data-recovery-agent change and that haven't been modified since then.

Changing the data-recovery agent won't prevent administrators from accessing encrypted files, however. To access an encrypted file, all you need is the ability to log on as the user who encrypted it. Dishonest administrators can log on as any user simply by resetting the password; however, doing so could get them in trouble because the next time the user tries to log on, the password won't work. A dishonest but savvy administrator could use L0phtCrack to crack the user's password and log on as the user. You can't prevent administrators from cracking passwords; therefore you can't use EFS to keep administrators out of confidential files. Instead, set up another server and have someone you trust administer it, or find a third-party encryption tool that handles encryption keys outside of Win2K.