EFS - Recovering Encrypted files
theseman
Member Posts: 230
You are the network administrator for 7 Seconds Resources, Inc. Joe is a disgruntled worker who was just fired. Before Joe left, he deleted his private key. How can you gain access to his files?
1. The recovery agent can access the files.
2. The data cannot be recovered.
3. You must take ownership of the file.
4. The administrator can reset Joe's password and then login with his account and access the files.
This is a question I came across while doing an online practice site at MCMCSE.com, and I don't know if I agree with the answers. In my opinion, only #1 is a valid option. They say in the explanation that both 1 and 4 would work. It is my understanding that #4 is valid under 2K Pro, but not XP. Anyone with EFS experience care to help me out? lol.
Thanks,
Travis
1. The recovery agent can access the files.
2. The data cannot be recovered.
3. You must take ownership of the file.
4. The administrator can reset Joe's password and then login with his account and access the files.
This is a question I came across while doing an online practice site at MCMCSE.com, and I don't know if I agree with the answers. In my opinion, only #1 is a valid option. They say in the explanation that both 1 and 4 would work. It is my understanding that #4 is valid under 2K Pro, but not XP. Anyone with EFS experience care to help me out? lol.
Thanks,
Travis
Comments
-
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
They are correct, as long as his account was not deleted you can recover the files by logging in as Joe. It is actually a recommended "Best Practice" to back up your private key to a floppy and then delete it from your hard drive. After doing this, you can still access the encrypted files. If you leave the private key on your hard drive, someone with admin rights can access and steal your private key, thus gaining access to your encrypted data without having to log in as the user "Joe". The key is only needed if someone other than Joe needs to recover the files, or if his account is deleted.
But I am trying an experiment right now, so I'll repost in a few minutes after actually trying it.All things are possible, only believe. -
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Interesting. Using XP Pro SP2, I created a folder called EFS. Using the advanced properties I set it to encrypt the contents of the folder. I placed a text file inside and added a few words.
Then I went and exported my efs certificate, then deleted the certificate from my drive. At that point I could still access and read the file. I then logged off and back on as the same user and was denied access to the file. I had to import the cert again to read the file.
So now I have to change my original answer and say that only option 1 is correct, as you suspected. I learn something new every day. Thanks for a good question!All things are possible, only believe. -
theseman
Member Posts: 230
Well thank you for taking the time to find out for sure! Before my exam (may 26th) I plan on putting in a week of practical practice /exploring to confirm the theory studying I have done to date.
Hopefully it will help cement the knowlege!
Thanks again!
