2

My boss wants to set up encrypted file shares using EFS on Windows Server 2012 R2 Boxes accessed by Windows 8.1 clients. I've been able to set the default DRA, issue certificates in test cases and so forth. So, EFS works. However, he also wants the user to be prompted for their certificate password (the password generated when you first create the certificate) when:

  1. The user first logs in/accesses an encrypted file
  2. After a periodic time out when they go to access the file.
  3. If the user locks their screen.

I've configured a group policy to clear the cache every 240 minutes and when they lock their screen. I've also set the local machine registry and domain GP to require strong protection of private keys. However, it doesn't really seem to do what he's looking for. Is what he wants possible without using a second form of authentication (smart card, etc). If so, where am I messing up?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Brian McElraft
  • 21
  • 1

1 Answers1

1

It is not possible via built-in mechanisms.

A bit of theory: private key strong protection prompts for input only when private key material is accessed.

A bit of practice: when you encrypt/decrypt files on remote share, remote certificate is used to perform these operations. That is, EFS loads user profile on a file share hosting server, loads the certificate and performs actions (encrypt and decrypt). And dialog prompt will be exposed on a remote server and will never be exposed to you and no one will be able to type password there.

Crypt32
  • 6,414
  • 1
  • 13
  • 32
  • I had read that as well, but wasn't sure Thanks for clarifying and confirming. His fall back plan is to have two accounts - one let's call account.enc and one called account.clear. Account.clear is the user's day to day account. Account.enc is the encryption account. He wants to encrypt files using account.enc on the shared drive, then use the separate account.clear to mount the drive. He believes that this will provide "two layers of protection" in case account.clear gets compromised. I'm not sure that my understanding of EFS would allow this. Do you have any thoughts? – Brian McElraft Oct 30 '14 at 21:14
  • What is your boss' the final goal? – Crypt32 Oct 30 '14 at 21:19
  • To "prevent sensitive information being accessed if someone's account is compromised" He basically wants a secondary layer of authentication. – Brian McElraft Oct 31 '14 at 18:05
  • What you would do if "secure" account is compromised? Account separation is not the answer for you. Instead, you should consider to secure authentication mechanisms combining with 3rd party encryption. I would go with 2-factor authentication (smart cards) and 3rd party encryption tool (OpenPGP, just as an example) and storing encryption keys on smart card. – Crypt32 Oct 31 '14 at 18:26
  • I don't disagree. But the boss says there's no funding for smart cards. Anyways, thanks for the help. Marking as answered. – Brian McElraft Nov 04 '14 at 15:29