Announcement

Collapse
No announcement yet.

Secure certificate storage in AD environment

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Secure certificate storage in AD environment

    I have a following problem: when domain administrator changes user's password in AD, user's certificates and private keys (which are encrypted by his password) do not reset as it would be in standalone mode (not using AD).

    Actually i need this for EFS, some people in our company do not want system administrators to have an ability to change their domain password and read their encrypted files.

    So is it possible to protect user's certificates (and therefore user's encrypted files) from password changing?


    We are using windows server 2008.

  • #2
    Re: Secure certificate storage in AD environment

    Why use EFS then? It's whole purpose is to simplify distribution, administration and recovery.

    You can use self-signed certificates or look into 3rd party.

    Comment


    • #3
      Re: Secure certificate storage in AD environment

      The only way I know is for the key of the local recovery agent or domain recovery agent (whether standalone or in a domain) to be exported and stored in a secure, exncryped way on a memory sick. That memory stick can then be locked in a safe or somewhere else secure. Should files ever need to be unencryped, you can import the key back to an acocunt, take ownership of the EFS encrypted files and remove the encryption.

      http://support.microsoft.com/kb/241201

      Comment


      • #4
        Re: Secure certificate storage in AD environment

        Originally posted by dmr View Post
        Actually i need this for EFS, some people in our company do not want system administrators to have an ability to change their domain password and read their encrypted files.
        Do these people realise that the data belongs to the company and not the individuals???

        If your policy is right then it should be a default password thatis set and the users should be required to change that password on first logon.

        As for the certificate issue then virtual is correct. The EFS recovery agent is the only method of recovering these files. That is if you have set it up properly.

        Comment


        • #5
          Re: Secure certificate storage in AD environment

          Keeping the Recovery Agent secure does not prevent a Domain Admin from changing a users password, logging in as the user and having access to the EFS files.

          Comment


          • #6
            Re: Secure certificate storage in AD environment

            It's a good point Garen. That is something that will need to be audited by the enterprise administrator. I suppose there is always the risk that administrators will abuse their priveleges. I tend to only allow my adminstrators rights that they need. It is very rare that I make them members of the Domain admins Group or Enterprise adminstrator, only maybe the IT manager allocated to the Company, who would get Domain admins.

            Comment


            • #7
              Re: Secure certificate storage in AD environment

              In the case that an administrator abuses his privileges they they shouldn't be an administrator in the first place.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Secure certificate storage in AD environment

                I agree with you Marcel. They should be thrown out the IT profession. It is the ultimate sin in my eyes, with regards to IT.

                Comment

                Working...
                X