Recover EFS Encrypted File in Windows Domain Environment

Encrypted File System

Background Information

EFS can easily be enabled without the end users being aware of it. The EFS flag will stick when sent between windows systems even if the domains or networks are completely independent (so Machine A has EFS on for entire disk, user sends file to Machine B, EFS is still on). Thirdly, Windows will try to enable EFS at the parent folder level by default when a user is enabling this feature on a file.

The only redeeming factor for managing EFS is that the DRA (Data Recovery Agent) in a Windows Domain environment is, by default, the Built-in Domain Administrator. To confirm who the DRA is on a file you can use cipher.exe (part of system for Vista/Windows 7/2008, it replaces efsinfo.exe from previous OS) like this:

cipher /c filename.ext

This will list the user and thumbprint for the private cert, as well as the user thumbprint for the data recovery cert. The good news is that in a domain environment, the data recovery cert is, by default (even if the Group Policy is not configured) stored on the Primary Domain Controller, and is set to the built-in administrator account (IE: DOMAIN\Administrator)

The second piece of info you need to keep in mind is that you cannot recover a file over the network. You have to have the recovery cert installed in the Private store of the machine hosting the files you are trying to recover.

Step-by-step Recovery:

  1. Run CMD on machine hosting the encrypted file
  2. CD to the directory of the file
  3. cipher /c filename to get the DRA user and Thumbprint (to confirm)
  4. Remote Desktop to the Primary DC, important: log in as Administrator (this has to the be the built-in domain\administrator account, another domain admin will NOT work)
  5. Open MMC
  6. Add Certificates snap-in for the local user account
  7. Navigate to the Private store tree, you should see a few certs there
  8. Scroll the window to the right, look at the Intent column, you are looking for the cert with “File Recovery” listed under intent. (NOTE: You can look at the thumbprint, it will match from step 3)
  9. Right-click and Export the cert (set password etc.. note export location…)
  10. Now copy the resulting .PFX to the server hosting the EFS file
  11. Back on the server hosting the EFS file, double-click to import the cert, place it in the Private store

That’s the bulk of it. Using Windows Explorer, you can now navigate to the folder containing the EFS files and do the following:

  1. Take ownership (Right-click – Properties, Security, Advanced, Owner)
  2. Remove EFS check mark (Right-click – Properties, General – Advanced, Encrypt)

NOTE: You can use cipher.exe /s:foldername recursively list all files and folders for the folder name in question. Nothing pretty though so you may want to filter ” | find ‘thumb’

Leave a Reply

Your email address will not be published. Required fields are marked *