EFS Certificate Configuration Updater

Commented Feature: Enable the tool to replace actively-used cert with another issued from the same CA & cert template (pvt key compromise scenario)

lalkin — Thu, 04 Dec 2008 18:39:40 GMT

User lalkin requests:
"I'd like to be able to use this tool to change the actively used cert but both certs have been issued by the same CA and use the same template."
"I'm working on designing workflow for EFS tasks and one of them is the replacement of a cert in case the private key is compromised. Thus we would be issuing a new cert from the same CA."

And I responded with:
"Based on the scenario you're targeting, would it be fair to assume that the newest certificate from the same CA would be the one you'd like to see in the user's EFS configuration? If we can make that assumption ("always use the newest qualifying cert"), I should be able to implement an extension to the logic that builds a collection of all qualifying certs, and chooses the one with the furthest-out Expiration Date."
Comments: ** Comment from web user: lalkin **

Commented Issue: Vista: UAC elevation reportedly occurs at some point during execution of the tool

lalkin — Thu, 04 Dec 2008 18:38:07 GMT

User lalkin reports:
"First, this tool seems to require admin access in Vista (it activates the UAC). That prevents a non-admin from using the tool."

Firstly, I should add additional trace logging to the portions of the code where the elevation is likely to occur.
Second, I should release a Debug build of the tool and ask lalkin if he'd be willing to report any Stack Traces that may occur (though this isn't an exception, there may be an exception that leads to an elevation event - I don't know, just thinking of any way to isolate this issue).
Comments: ** Comment from web user: lalkin **

The reason why the UAC elevation prevents a nonadmin from running the tool is that they have to authenticate as an admin which then would cause the tool to affect the admin user (since it is running with their token). At least that is what I think would happen.

Thought I'd elaborate.

I'd be fine with running a debug build.

New Post: Any way to switch between 2 certs issued by the same CA/template?

lalkin — Thu, 04 Dec 2008 18:26:00 GMT

If the utility defaulted to the newest certificate that would take care of most situations I've come up with. I'm thinking using the Valid From property might be better than the expiration date. Expiration date would be fine as well, whichever is easier to grab.

With the above implemented the interactive feature would be less needed for me but still would be a nifty feature.

Thanks!

Closed Task: Examine these CryptoAPI p/invoke extension samples for any useful functionality

MikeSL — Mon, 01 Dec 2008 06:17:06 GMT

http://msdn2.microsoft.com/en-us/library/ms867087.aspx

Closed Task: Rename/refactor the Certs namespaces & app-specific namespace

MikeSL — Mon, 01 Dec 2008 06:16:02 GMT

Currently, the CertificateFunctions and EFSCertificateFunctions classes - they're currently members of the ParanoidMike namespace.

I'd like them to work more like:

namespace ParanoidMike.Certificates
{
    class CertFunctions
    { ....

namespace ParanoidMike.Certificates.Efs
{
    class EfsCertFunctions
    { ....

Similarly, the namespace for the EFSCertConfigUpdater app-specific code should go into its own branch of ParanoidMike, such as

namespace ParanoidMike.EfsUpdate
{
    class Program
    { ....

    class Arguments
    { ....

Created Task: Migrate the command-line parameter functionality to Codeplex' Command Line Parser Library

MikeSL — Sun, 30 Nov 2008 23:12:10 GMT

I don't like the way the CommandLine library (Peter Hallam, Microsoft) works, and it has a lot of FxCop violations (and is very disorganized). I'm inclined to clean this up, but since it's not being actively supported - at least, from what I've been unable to find so far - I'll consider another option.

I'll have a look at the Command Line Parser Library currently published on Codeplex - see if it's better organized, cleaner for FxCop, and if it works just as well or better.

Next, figure out how to migrate the Arguments config.

Then, implement whatever code is needed to re-instantiate the command-line parameters.

Finally, address work item 11770.

Created Feature: Log whether the "do not enroll self-signed certs" feature has been enabled

MikeSL — Sun, 30 Nov 2008 22:56:19 GMT

On Windows XP SP3, Windows Vista, Windows 2008 and beyond, there is a setting that allows an Administrator to prevent any future enrollment of self-signed EFS certificates. This is enabled through a Registry setting (which can also be set through Group Policy).

Research:
- what that Registry setting is
- which KB article first documented the hotfix for pre-SP3 XP
- how to determine whether (OS >= XPSP3 | OS >= Vista | OS >= 2008)

Created Task: Rename/refactor the Certs namespaces

MikeSL — Sun, 30 Nov 2008 22:08:42 GMT

Created Release: Version 2.0 - UI to interactively select cert

MikeSL — Sun, 30 Nov 2008 07:12:04 GMT

This is subject to change, but at this point I'm thinking that adding a UI would be cool, to allow the user to interactively select an existing EFS cert.

Additional ideas include:
- only showing those certs that are valid according to the current configuration (e.g. command-line parameters)
- not showing the UI if only one valid EFS cert (or one valid EFS cert in addition to the currently-configured cert) is found
- providing some additional feedback for the user to indicate which cert is suggested (e.g. highlighting the one(s) that matches the current configuration)
- providing a button to enable the user to kick off the autoenrollment engine (whether or not a valid cert was found)

This is all wild speculation and far-out in planning, but these are some of the ideas I'm considering.

Created Release: Version 1.3 - enable another command-line parm

MikeSL — Sun, 30 Nov 2008 07:06:08 GMT

Haven't decided which command-line parameter to enable yet.

Source code checked in, #24564

MikeSL — Sun, 30 Nov 2008 06:57:56 GMT

Fixed most of the identified StyleCop-flagged issues.

Created Task: Migrate the Usage strings from DisplayUsage() to the Arguments/CommandLine classes

MikeSL — Sun, 30 Nov 2008 06:23:30 GMT

Updated Wiki: What EFSCONFIGUPDATE Does

MikeSL — Sun, 30 Nov 2008 03:53:01 GMT

What EFSCONFIGUPDATE Does

By default the application will update the user's EFS configuration (the per-user CertificateHash registry value) with the first valid non-self-signed EFS certificate that it finds.
If no such certificates are found, the application will exit.
If the CertificateHash value is already configured with the selected certificate, the application will exit.
The application creates a log of all significant activity that it performs, to give some visibility into how it selects a suitable EFS certificate, whether it succeeds and why.

This log file is found under %APPDATA%\EFSCertConfigUpdate\ and is named "EFSCertConfigUpdateTraceLog.txt".

Closed Task: Encapsulate the "CertHash value update state" in the EFSCertFunctions class - expose it as "UpdateUserEfsConfig"

MikeSL — Sun, 30 Nov 2008 03:43:25 GMT

I think there's too close a dependency between the Main() function and knowledge that the EFS CertHash is what needs to be manipulated to successfully "update the EFS Configuration" when a new EFS cert is discovered.

It would be slightly more behaviour-independent for Main() to call something like "UpdateUserEfsConfiguration()" than to call "UpdateCertificateHashRegistryValue()". The latter could be the private function called by a public UpdateUserEfsConfiguration()" function, but it would leave us more flexible to change the implementation of UpdateUserEfsConfiguration() if there were different or additional steps necessary to update the user's EFS Config.

This should be accompanied with a similar change to the CertificateHashValueUpdated boolean in the Program class - perhaps call it "UserEfsConfigUpdated" instead.

Closed Task: Move the trace logging location from "Local Settings\Application Data" to "Application Data"

MikeSL — Sun, 30 Nov 2008 03:24:26 GMT

On XP there's no env variable for %LOCALAPPDATA% (like there is on Vista). That makes describing the path to the current log file location more of a pain than I'd like.

As well, it occurs to me that there's just as good a reason for having the log file stored in %APPDATA% as "Local Settings\Application Data": since the EFS cert config (and keys) migrate from PC to PC with a user's profile, why shouldn't the log file that details how the EFS cert config has been modified? Plus, it's generally a tiny log file (3-5 KB) so it's hardly going to affect the replication time of a roaming user profile (which is the usual reason to prefer %LOCALAPPDATA% over %APPDATA%).

Source code checked in, #24551

MikeSL — Sun, 30 Nov 2008 03:24:24 GMT

This is the code that was used to build the version 1.2 (released on 2008-11-29). Work items 11732 & 11765 were addressed in this checkin.

New Post: Force EFS to use V2 in stead of V1 cert?

MikeSL — Sun, 30 Nov 2008 03:22:00 GMT

Success - v1.2 has been released, and includes a command-line flag for migrating v1 certs as well. Thanks for your interest and responses.

You can grab either the Release build installer or the Debug build zip file here:
http://www.codeplex.com/EFSCertUpdater/Release/ProjectReleases.aspx

Updated Wiki: Home

MikeSL — Sun, 30 Nov 2008 03:17:14 GMT

(aka "reliable recovery for EFS'd files")

Project Description
One of the most critical outstanding issues with the use of EFS in the enterprise is that the EFS component 'driver' does not automatically start using "better" EFS certificates when they are enrolled. This command-line application wlil help an organization migrate EFS-encrypted content to be encrypted with centrally-enrolled (and ideally key-archival backed) digital certificates suitable for EFS.

Quick Guide

If you'd like to download the latest version of this application, please click here
If you'd like to report a bug or issue to the developers, please click here
If you'd like to ask questions or see previous discussions regarding this application, please click here

News

2008-11-29: version 1.2 has been released! This version brings a command-line parameter (/migrate1) which enables you to migrate from v1 EFS certificates as well as self-signed certificates. There is additional logging, and many small bug fixes.
Version 1.1 was released in fall of 2007 - here.

Documentation

Future Enhancements to EFSCONFIGUPDATE

There are a number of opportunities to extend the functionality for this tool, many of which I've heard from one or another customer as something they'd like to see. Time (and demand) permitting, I'll see about adding a few of these in future versions of this tool. (Your input - through the Issue Tracker - can significantly influence what I invest my time in.)

log significant errors in the Application Event Log
Archive any non-matching EFS certificates
provide multiple ways to identify the specific CA from which desired certificates should have been enrolled
don't just select the first matching certificate but the "best" matching certificate
optional capability to enroll for a matching certificate if no matching certificate is found
possible integration of this tool with the EFS Assistant (which you can find here: )
localization by extracting all non-localized strings into appropriate resource files
additional error & exception handling

Other Free Tools to Help with an EFS Deployment

EFS Assistant: eases the burden of enforcing encryption on sensitive data files, no matter where they're stored on disk
EFSDump: provides access to some metadata about EFS-encrypted files, and may be the only remaining useable tool for Windows Vista since EFSInfo is not supported on Vista

Updated Release: Version 1.2 - cmd line param to migrate V1 certs (Nov 29, 2008)

MikeSL — Sun, 30 Nov 2008 03:11:14 GMT

Based on jeoff's request, this release enables a capability in EFSCertConfigUpdater so that the application can limit the updated EFS certificate to choose from among only those that are enrolled from a "version 2" certificate template. (This has the benefit of enabling the organization to ensure that they have a backup of the active EFS certificate for the user.)

To use this new parameter, you can call it one of two ways:

EFSCertConfigUpdater.exe /migratev1
EFSCertConfigUpdater.exe /m1

(Note: other parameters show up if you use "/?", but these have not been implemented yet.)

I've uploaded two packages, depending on your needs:

EFS Certificate Configuration Installer v1.2.msi, which contains an installer that deploys the Release build of v1.2
EFSCertConfigUpdater v1.2 - Debug.zip, which contains a Debug version of the tool (along with matching debug symbols), in case you have issues and you'd like to report as much detail as possible about the error)

Released: Version 1.2 - cmd line param to migrate V1 certs (Nov 29, 2008)

Sun, 30 Nov 2008 03:11:12 GMT

EFSCertConfigUpdater.exe /migratev1
EFSCertConfigUpdater.exe /m1

(Note: other parameters show up if you use "/?", but these have not been implemented yet.)

I've uploaded two packages, depending on your needs:

EFS Certificate Configuration Installer v1.2.msi, which contains an installer that deploys the Release build of v1.2
EFSCertConfigUpdater v1.2 - Debug.zip, which contains a Debug version of the tool (along with matching debug symbols), in case you have issues and you'd like to report as much detail as possible about the error)