Using Group Policy, Active Directory provides a mechanism to centrally configure one or more data recovery agents. These DRAs have the ability to recover user files should data recovery be necessary. EFS provides built-in data recovery by enforcing a recovery policy requirement. The requirement is that a recovery policy must be in place before users can encrypt files. The recovery policy is a type of public key policy that provides for one or more user accounts to be designated as a DRA.
A default recovery policy is automatically put in place when the administrator logs on to the system for the first time, making the administrator the recovery agent.
The default recovery policy is configured locally for standalone computers. For computers that are part of an Active Directory-based domain, the recovery policy is configured at the domain, organizational unit OU , or individual computer level, and applies to all Windows and Windows XP-based computers within the defined scope of influence.
In a network environment, the domain administrator controls how EFS is implemented in the recovery policy for all users and computers in the scope of influence. In a default Windows or Windows XP installation, when the first domain controller is set up, the domain administrator is the specified recovery agent for the domain.
The way the domain administrator configures the recovery policy determines how EFS is implemented for users on their local machines. To change the recovery policy for the domain, the domain administrator logs on to the first domain controller. Recovery agent policy. When an administrator adds one or more recovery agents, a recovery-agent policy is in effect.
These agents are responsible for recovering any encrypted data within their scope of administration. This is the most common type of recovery policy. Empty recovery policy.
When an administrator deletes all recovery agents and their public-key certificates, an empty recovery policy is in effect. An empty recovery policy means that no recovery agent exists, and if the client operating system is Windows , EFS is disabled altogether. No recovery policy. When an administrator deletes the private keys associated with a given recovery policy, a no-recovery policy is in effect.
Because no private key is available, there is no way to use a recovery agent and recovery will not be possible. This would be useful for organizations with a mixed environment of Windows and Windows XP clients where no data recovery is desired.
Although the domain administrator is the default DRA in an Active Directory environment, this capability can be delegated or assigned to one or more users. This is discussed in greater detail later in this article.
This effectively prevents previous offline attacks against the administrator account. Therefore, a DRA must be created manually by a user and installed. To manually create a DRA, the cipher. This command will generate filename. PFX for data recovery and filename. CER for use in the policy.
The certificate is generated in memory and deleted when the files are generated. Once the keys have been generated the certificate should be imported into the local policy and the private keys stored in a secure location. Support for the use of groups on encrypted files is not provided in either Windows or Windows XP. Also, support for multiple users on folders is not provided in either Windows or Windows XP. The use of EFS file sharing in Windows XP provides another opportunity for data recovery by adding additional users to an encrypted file.
Although the use of additional users cannot be enforced through policy or other means, it is a useful and easy method for enabling recovery of encrypted files by multiple users without actually using groups, and without sharing private keys between users. Once a file has been initially encrypted, file sharing is enabled through a new button in the UI. A file must be encrypted first and then saved before additional users may be added.
After selecting the Advanced Properties of an encrypted file, a user may be added by selecting the Details button. Individual users may add other users not groups from the local machine or from the Active Directory, provided the user has a valid certificate for EFS. Note: A file cannot be compressed and encrypted as those are mutually exclusive attributes. If this is the first time this file or folder has been encrypted, a dialog box will appear asking if you would like to encrypt the file only or the folder.
Select the appropriate choice and click OK. This will return you to the original dialog box. Note: The file is not encrypted until you click OK.
Also, additional users may not be added until the file has been encrypted by the first user. Click OK to encrypt the file. Open the file properties again through the Advanced properties button and then select the Details button to add additional users. Once the Details dialog box is open, the add user option will be displayed.
Note: Additional information is available in the Encryption Details dialog box which may be useful for troubleshooting purposes. It will also allow new users to be added from the Active Directory by clicking the Find User button. Click the Find User button to find new users as shown in Figure 4 below. A dialog box will display users that hold valid EFS certificates in the Active Directory based on your search criteria.
If no valid certificate is found for the given user, the dialog box shown below in Figure 5 will be displayed:. If valid certificates exist in the userCertificate attribute of the user object in the directory, they will be displayed in the certificate selection dialog box shown below in Figure 6.
For performance reasons, users that hold a private key are not checked for revocation. However, certificates that do not contain a CDP Certificate Revocation List Distribution Point extension such as those from some 3rd party CAs will not be validated for revocation status. If the revocation status check on a certificate fails, the messages shown in Figure 7 below will be displayed and the certificate will not be used.
If the revocation status and chain building completed successfully, the user will be added to the dialog box and the file updated as shown in Figure 8 below. Click OK to register the change and continue. Note: Any user that can decrypt a file can also remove other users—if the user doing the decrypting also has write permission. This limits the number of individual entries for file sharing that may be added.
On average, a maximum of individual users may be added to an encrypted file. You can select a user certificate, and view the certificate for information to make your administrative decision. To view a certificate, as shown in Figure 6 above, complete the following steps:.
Because of the unique nature of encrypted files, different results can occur when moving or copying encrypted files between locations. For example, when copying an encrypted file from a local machine to a server on the network, different results of the copy operation will occur depending on the operating system being used on the server. In general, copying a file will inherit the EFS properties of the target, but a move operation will not inherit the EFS properties of the target folder.
The use of an alternate or more descriptive error message would cause many applications to fail or behave erratically. The Windows XP Professional client contains some enhancements in the area of copying encrypted files.
Both the shell interface and the command line now support an option to allow or disallow file decryption. When an encrypted file is copied to a target location that does not allow remote encryption, the user will be prompted with a dialog box that allows a choice of whether or not to decrypt the file.
When a file has been encrypted for multiple users, an application must call a specific API to ensure that the encryption data certificates for the additional users is not lost when the file is opened, modified and saved in its native file format. Native documents opened with Microsoft Office XP will retain the multi-user EFS status while other applications may remove the additional users that were added to the file. Once a certificate uses EFS it will be cached on the local machine.
This eliminates the need for looking up users in Active Directory every time a new user is added to an encrypted file. Certificates that are part of a certificate chain, and self-signed certificates, can be used and cached. Once a certificate is added to the Trusted People store, no certificate status checking will be performed with the exception of time validity. This enhances the performance of local encryption on the machine.
Some of the most common procedures in relation to EFS and data recovery are outlined in the following sections. It is possible that an organization may implement a data recovery policy initially, and at a later date choose to remove or eliminate that recovery policy.
When a recovery policy has been removed from a domain, no new files may be encrypted after the group policy on those machines has been updated. Users will still be able to open existing encrypted files, but they will not be able to update or re-encrypt those files. Existing encrypted files will not be decrypted until they are accessed and updated by a user that has a private key to decrypt those files.
Some organizations may find it useful to see if users are using EFS on machines in the domain. Although there is no way to determine if EFS is being currently used, several registry keys may be examined to determine if EFS has ever been used by the user on the machine.
If the machine is a Windows machine, the following registry key can be examined to see if a certificate hash exists:. Important: Before changing the recovery policy in any way, you should first back up the recovery keys to a floppy disk. Note: You must be logged on as an administrator of the domain or a user that has rights to update group policies in the domain or OU selected. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.
In the case of local machines that are not members of a domain, local policy is not available for disabling EFS. However, a different registry key may be set to disable EFS. Registry key:. Data Recovery is performed in the same manner as file encryption. The only difference being that data recovery implies that a person other than the original user is decrypting the files. Since all files have at least one user, and one DRA who can decrypt a file, no special process is required to recover a file that has been encrypted by another user.
To recover a file for a user that has left the organization, lost their private keys, corrupted private keys, etc. The files, once opened, will be in clear form and can be saved in a non-encrypted format. A DRA may also remove encryption without first opening the files by selecting the files in question, selecting the file properties, choosing the Advanced button, and removing the Encrypt contents to secure data checkbox.
After clicking OK and closing the file properties, the file will be decrypted—assuming that the logged on user is the DRA and has the DRA private key loaded into his or her profile at that time. On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information.
However, these communications are not promotional in nature. We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.
Pearson automatically collects log data to help ensure the delivery, availability and security of this site. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.
Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson but not the third party web trend services to link information with application and system log data.
Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services. This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising.
Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site. Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure. Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider.
Marketing preferences may be changed at any time. If a user's personally identifiable information changes such as your postal address or email address , we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service informit.
Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list s simply visit the following page and uncheck any communication you no longer want to receive: www.
While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest pearson.
California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.
This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information.
This privacy statement applies solely to information collected by this web site. Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information. We may revise this Privacy Notice through an updated posting. Posting Guidelines Promoting, selling, recruiting, coursework and thesis posting is forbidden. I Have put below a good article that i found on the differences between XP Home edition and XP Professional for those of you who have asked.
This will give you insight if it will affect your Solidworks experience or not and which one is the right choice for you. Power user Remote Desktop - All versions of Windows XP--including Home Edition--support Remote Assistance, which is an assisted support technology that allows a help desk or system administrator to remotely connect to a client desktop for troubleshooting purposes.
But Only Pro supports the new Remote Desktop feature, which is a single-session version of Terminal Services with two obvious uses: Mobile professionals who need to remotely access their corporate desktop, and remote administration of clients on a network. In Pro, ASR will help recover a system from a catastrophic error, such as one that renders the system unbootable. ASR-enabled backups are triggerable from XP Setup, allowing you to return your system to its previous state, even if the hard drive dies and has to be replaced.
In any event, while there is a Backup utility available for Home Edition, you cannot use ASR, even though mentions of this feature still exist in the UI.
But it's better than no Backup at all, which was the original plan. EFS-protected files and folders allows users to protect sensitive documents from other users. File-level access control - Any user with Administrator privileges can limit access to certain network resources, such as servers, directories, and files, using access control lists.
Only Windows XP Professional supports file-level access control, mostly because this feature is typically implemented through Group Policy Objects, which are also not available in Home Edition. For obvious reasons, the Domain Wizard is also missing in Home Edition. Group Policy - Since Home Edition cannot be used to logon to an Active Directory domain, Group Policy--whereby applications, network resources, and operating systems are administered for domain users--is not supported either.
IntelliMirror - Microsoft lumps a wide range of semi-related change and configuration management technologies under the IntelliMirror umbrella, and none of these features are supported in the consumer oriented Home Edition.
0コメント