EFS Certificate Configuration Updater

Home
Releases
Discussions
Issue Tracker
Source Code
Stats
People
License
 
Comments | Print View | Page Info | Change History (all pages)
Search Wiki:
Home

(aka "reliable recovery for EFS'd files")


Project Description
One of the most critical outstanding issues with the use of EFS in the enterprise is that the EFS component 'driver' does not automatically start using "better" EFS certificates when they are enrolled. This command-line application wlil help an organization migrate EFS-encrypted content to be encrypted with centrally-enrolled (and ideally key-archival backed) digital certificates suitable for EFS.

Looking for Support?

  • If you'd like to download the latest version of this application, please click here
  • If you'd like to report a bug or issue to the developers, please click here
  • If you'd like to ask questions or see previous discussions regarding this application, please click here

News

Version 1.1 has been released - please download it from here and update any of your attempted installs of version 1.0.

This release fixes the showstopper bug that caused the installation of version 1.0 to fail for many customers. This release uses a brand-new Windows Installer approach that should avoid the "EFSConfigUpdate.application not found" error that many experienced.

This release contains the core functionality you'll need to make sure that the v2 EFS certs you have enrolled for your users are being used to protect the user's files.

Documentation

Future Enhancements to EFSCONFIGUPDATE

There are a number of opportunities to extend the functionality for this tool, many of which I've heard from one or another customer as something they'd like to see. Time (and demand) permitting, I'll see about adding a few of these in future versions of this tool. (Your input - through the Issue Tracker - can significantly influence what I invest my time in.)
  • log significant errors in the Application Event Log
  • archive any non-matching EFS certificates
  • provide multiple ways to identify the specific CA from which desired certificates should have been enrolled
  • don't just select the first matching certificate but the "best" matching certificate
  • optional capability to enroll for a matching certificate if no matching certificate is found
  • possible integration of this tool with the EFS Assistant (which you can find here: http://www.codeplex.com/EFSAssistant/)
  • localization by extracting all non-localized strings into appropriate resource files
  • additional error & exception handling

Other Free Tools to Help with an EFS Deployment

  • EFS Assistant: eases the burden of enforcing encryption on sensitive data files, no matter where they're stored on disk
  • EFSDump: provides access to some metadata about EFS-encrypted files, and may be the only remaining useable tool for Windows Vista since EFSInfo is not supported on Vista
Last edited Oct 30 2007 at 4:01 AM  by MikeSL, version 22
Comments
BryanOR wrote  Oct 19 2007 at 10:58 PM  
Hello everyone,

Want to start off by saying, "Great forum"

It is nice that they finally came out with a EFS management utility, but your right - the biggest issue with it, is that it does not have any kind of certificate management built into it.

In our environment we actually created a login script(.vbs) that not only enabled\verified folder encryption on target locations, we also built into it a user certificate check for best-valid-certificate while updating to a status file located within the users profile and then FTP or TFTPing the status file to a central location for easy parsing and managing status of encryption for all users and machines in our environment.

Script logic(simplified):
At login the script runs under user context. It checks the registry to see if the user has run the script on this system before. If not, the script writes some info and exits…..this was to address the issue of the 60 sec. default time frame for the user to receive there auto-enrolled CA EFS Cert(when logging on to a system for the first time-local profiles). if the user had not received there certificate and we did not exit till, then the EFS services would see that there was no domain CA EFS cert, so it would create the self-signed local efs cert. So at next logon the script would again look in to the registry, see that the user has run the script an then verify that they had a valid domain issued EFS cert. If yes it would then check for running applications like Office outlook, etc and if running would prompt user to close before proceeding. It continues in enabling\verifying the targeted folders (My Documents, Outlook, etc) are encrypting and if not it would proceed to enable folder encryption and encrypt all subfolders and files. [Any errors-written to status file]……If performing encryption the script utilizes the UNIX touch.exe utility to capture all modify dates prior to encryption and once complete will reapply all dates (modify dates are not lost).
Now If a user has received a new certificate the script will then (through a best-valid-cert logic) update the reg hash with the new thumbprint and mark in the registry pending rekey of all encrypted data at next user logon. At next user logon it notifies the user that an update is required to maintain there encrypted files and it will rekey all of there data. Status and old\new thumbprints are captured and written to status file. Modify dates are again maintained. If need be the script is also utilized at sites to decrypt users encrypted data for pc migration purposes.

The only dependences of the script is the touch.exe and of course capicom.dll

To verify best valid certificate we enumerate all certificates and select best certificate. Then compare thumbprints. If not using best…update hash and mark for pending rekey at next logon.

Partial logic:
' ** Enumerate all certificates and select best certificate
For Each objCert in objCertStore.Certificates
txtArchived = objCert.archived
txtThumbprint = objCert.Thumbprint
txtValidFrom = objCert.ValidFromDate
txtValidTo = objCert.ValidToDate
txtIssueingCA = objCert.GetInfo(1)
txtTemplateName = objCert.Template.name
txtHasPrivateKey = objCert.HasPrivateKey
txtValid = objCert.isvalid
' """""""""""""""""""""""""""""""""""""""""""""""""""
' ** Select Best Certificate
if (txtArchived = FALSE) AND (DateValue(txtValidFrom) <= Now()) AND _
(DateValue(txtValidTo) > DateValue(txtBestValidTo)) AND _
(Instr(UCASE(txtIssueingCA), "IssuingCAName") > 0) AND
(Instr(UCASE(txtTemplateName), "EFS") > 0) And _
(txtHasPrivateKey = TRUE) AND _
(txtValid = TRUE) Then

txtBestValidTo = txtValidTo
txtBestCertThumbPrint = txtThumbprint
End If
Next
All credit for this script goes to our script god "Chuck D"

Since I have taken over the script I have only need to add a few checks and balances for the capicom.dll and to included enabling the users desktop folder for encryption---very tricky

Sign in to add a comment

Downloads


Current release:
Version 1.1 - fixed the installer
Fri Oct 26 2007 at 7:00 AM
386 downloads


Activity

7 30 All days
Page Views
38
Visits
27
Pages Per Visit
1.41
Work Items Closed
0
Discussion Posts
0

Related Projects
© 2006-2008 Microsoft | Privacy Statement | Terms of Use | Code of Conduct | CodePlex Blog | Version 2008.8.12.13328
Updating...