Windows 2000 Certificate Services and Public Key Infrastructure
Windows 2000 Certificate Services and Public Key Infrastructure |
|
Windows 2000 supports the encryption of persistent data by EFS and secure mail systems. Encrypted data is usually readable only to the user who possesses the required private key to unlock the data. However, if the user's private key is lost or damaged, the encrypted data becomes unusable unless there is a means to restore the plaintext or the private key to the user. Furthermore, if a user who has encrypted information leaves the organization or is terminated, organizations can lose access to valuable encrypted information unless there is a means for someone else besides the user to recover the encrypted information.
When you deploy EFS or secure mail, implement a recovery program and policies to ensure that users' encrypted data can be recovered. EFS provides for recovery agents (trusted administrators) who can recover encrypted files. Many secure mail systems, such as Microsoft® Exchange Server, provide a key recovery database so that trusted administrators can restore users' private keys when necessary for users to read their encrypted mail (for example, when a user's private key is corrupted).
EFS provides for data recovery agents. By default the domain Administrator user account (the local Administrator account for the first domain controller installed in the domain) is issued an EFS recovery certificate. You can use this account to recover files encrypted by EFS users in the domain. The private key for EFS recovery is stored on the local computer where the EFS recovery account is located. You must perform EFS recovery operations on the computer where the private key that is used for recovery resides.
You can configure Encrypted Data Recovery Agents policy to designate alternative recovery agents. For example, to distribute the administrative workload in your organization, you can designate alternative EFS recovery accounts for categories of computers grouped by organizational units. You can use Encrypted Data Recovery Agent policy to designate recovery accounts on computers to be used for EFS recovery operations.
You must deploy a CA to issue EFS Recovery Agent certificates to the EFS recovery accounts you want to designate by means of Encrypted Data Recovery Agents policy. You can issue certificates for EFS recovery with an enterprise CA or a stand-alone CA.
For enterprise CAs, by default, members of the Domain Admins and Enterprise Admins security groups are granted permissions to enroll for EFS Recovery Agent certificates. To change the default certificate enrollment settings, modify the ACLs for the EFS Recovery Agent certificate template. You can request an EFS Recovery Agent certificate by using the Certificate Request wizard or by using the Advanced Certificate Request page for an enterprise CA.
For stand-alone CAs, you can use the Advanced Certificate Requests form to request a recovery agent certificate by entering 1.3.6.1.4.1.311.10.3.4.1 as the object identifier in the Usage OID box.
The cipher command-line program is used to recover EFS files. The recovery operation decrypts the encrypted file to plaintext, which is readable by others. Therefore, administrators must take precautions when they are transferring the plaintext back to the user to ensure that the confidentiality of the information is preserved. For more information about cipher, see Windows 2000 Server Help.
For EFS encrypted files, the recovery agent information is refreshed every time the file system performs an operation on the file (for example, when the file is opened, moved, or copied). However, if an encrypted file is dormant for a long time, the recovery agents can expire. To ensure that dormant encrypted files can be recovered, maintain archives of the recovery agent certificates and private keys. To create an archive, export the certificate and its private key to a secure medium and store it in a safe location. When you export private keys, you must provide a secret password for authorizing access to the exported key. The secret key is stored in an encrypted format to protect its confidentiality.
To recover dormant files with expired recovery agent information, import the appropriate expired recovery agent certificate and private key from the archive to a recovery account on a local computer and then perform the recovery. To view recovery agent information for an encrypted file, use the efsinfo tool. For more information about efsinfo, see Windows 2000 Tools Help.
For more information about EFS and EFS recovery, see "Encrypting File System" in this book.
The Windows 2000 public key infrastructure does not provide a key recovery system for secure mail. However, to provide key recovery services, you can deploy secure mail systems, such as Exchange Server.
Exchange Server maintains users' private keys in a central protected store. Security administrators can use the Key Management server (KM server) to recover keys and restore the keys to users as necessary. For more information about KM Server, see Exchange Server Help and the Microsoft® BackOffice® Resource Kit.
Anyone who can obtain a user's private key can impersonate that user