RSS

All Project Updates

Discussions

Issue Tracker

Releases

Source Code

Wiki

RSS

Comments | Print View | Page Info | Change History (all pages)

Home

(aka "reliable recovery for EFS'd files")

Project Description
One of the most critical outstanding issues with the use of EFS in the enterprise is that the EFS component 'driver' does not automatically start using "better" EFS certificates when they are enrolled. This command-line application wlil help an organization migrate EFS-encrypted content to be encrypted with centrally-enrolled (and ideally key-archival backed) digital certificates suitable for EFS.

Quick Guide

If you'd like to download the latest version of this application, please click here
If you'd like to report a bug or issue to the developers, please click here
If you'd like to ask questions or see previous discussions regarding this application, please click here

News

2008-11-29: version 1.2 has been released! This version brings a command-line parameter (/migrate1) which enables you to migrate from v1 EFS certificates as well as self-signed certificates. There is additional logging, and many small bug fixes.
Version 1.1 was released in fall of 2007 - here.

Documentation

Future Enhancements to EFSCONFIGUPDATE

There are a number of opportunities to extend the functionality for this tool, many of which I've heard from one or another customer as something they'd like to see. Time (and demand) permitting, I'll see about adding a few of these in future versions of this tool. (Your input - through the Issue Tracker - can significantly influence what I invest my time in.)

log significant errors in the Application Event Log
Archive any non-matching EFS certificates
provide multiple ways to identify the specific CA from which desired certificates should have been enrolled
don't just select the first matching certificate but the "best" matching certificate
optional capability to enroll for a matching certificate if no matching certificate is found
possible integration of this tool with the EFS Assistant (which you can find here: )
localization by extracting all non-localized strings into appropriate resource files
additional error & exception handling

Other Free Tools to Help with an EFS Deployment

EFS Assistant: eases the burden of enforcing encryption on sensitive data files, no matter where they're stored on disk
EFSDump: provides access to some metadata about EFS-encrypted files, and may be the only remaining useable tool for Windows Vista since EFSInfo is not supported on Vista

Last edited Nov 30 2008 at 3:17 AM by MikeSL, version 25

Comments

BryanOR wrote Oct 19 2007 at 11:58 PM

Hello everyone,

Want to start off by saying, "Great forum"

It is nice that they finally came out with a EFS management utility, but your right - the biggest issue with it, is that it does not have any kind of certificate management built into it.

In our environment we actually created a login script(.vbs) that not only enabled\verified folder encryption on target locations, we also built into it a user certificate check for best-valid-certificate while updating to a status file located within the users profile and then FTP or TFTPing the status file to a central location for easy parsing and managing status of encryption for all users and machines in our environment.

Script logic(simplified):
At login the script runs under user context. It checks the registry to see if the user has run the script on this system before. If not, the script writes some info and exits…..this was to address the issue of the 60 sec. default time frame for the user to receive there auto-enrolled CA EFS Cert(when logging on to a system for the first time-local profiles). if the user had not received there certificate and we did not exit till, then the EFS services would see that there was no domain CA EFS cert, so it would create the self-signed local efs cert. So at next logon the script would again look in to the registry, see that the user has run the script an then verify that they had a valid domain issued EFS cert. If yes it would then check for running applications like Office outlook, etc and if running would prompt user to close before proceeding. It continues in enabling\verifying the targeted folders (My Documents, Outlook, etc) are encrypting and if not it would proceed to enable folder encryption and encrypt all subfolders and files. [Any errors-written to status file]……If performing encryption the script utilizes the UNIX touch.exe utility to capture all modify dates prior to encryption and once complete will reapply all dates (modify dates are not lost).
Now If a user has received a new certificate the script will then (through a best-valid-cert logic) update the reg hash with the new thumbprint and mark in the registry pending rekey of all encrypted data at next user logon. At next user logon it notifies the user that an update is required to maintain there encrypted files and it will rekey all of there data. Status and old\new thumbprints are captured and written to status file. Modify dates are again maintained. If need be the script is also utilized at sites to decrypt users encrypted data for pc migration purposes.

The only dependences of the script is the touch.exe and of course capicom.dll

To verify best valid certificate we enumerate all certificates and select best certificate. Then compare thumbprints. If not using best…update hash and mark for pending rekey at next logon.

Partial logic:
' ** Enumerate all certificates and select best certificate
For Each objCert in objCertStore.Certificates
txtArchived = objCert.archived
txtThumbprint = objCert.Thumbprint
txtValidFrom = objCert.ValidFromDate
txtValidTo = objCert.ValidToDate
txtIssueingCA = objCert.GetInfo(1)
txtTemplateName = objCert.Template.name
txtHasPrivateKey = objCert.HasPrivateKey
txtValid = objCert.isvalid
' """""""""""""""""""""""""""""""""""""""""""""""""""
' ** Select Best Certificate
if (txtArchived = FALSE) AND (DateValue(txtValidFrom) <= Now()) AND _
(DateValue(txtValidTo) > DateValue(txtBestValidTo)) AND _
(Instr(UCASE(txtIssueingCA), "IssuingCAName") > 0) AND
(Instr(UCASE(txtTemplateName), "EFS") > 0) And _
(txtHasPrivateKey = TRUE) AND _
(txtValid = TRUE) Then

txtBestValidTo = txtValidTo
txtBestCertThumbPrint = txtThumbprint
End If
Next
All credit for this script goes to our script god "Chuck D"

Since I have taken over the script I have only need to add a few checks and balances for the capicom.dll and to included enabling the users desktop folder for encryption---very tricky