Basic EFS certificates being issued without permission/knowledge
I noticed several AD 2008R2 Users with basic EFS certificates and sometimes encrypted files (fore some users) appears on the shared folders on the network.
I checked the permissions of the basic EFS template and there are the default with authenticated users with read only admin users with read/enroll.
Why so many users have issued cbasic efs certificfates from my Internal Enterprise CA - Server Standard??
Temporarly i deleted the template, but how users could enroll withou permissions? I´m sure the most of the users never used the encryprtion screen properties of a file to check the encrypt checkbox.
Most users are regular users
September 1st, 2011 4:03pm
Hello,
your question is not related to Directory Services. Please ask in Security forum: http://social.technet.microsoft.com/Forums/fr-FR/winserversecurity/threads
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator:
Security
Microsoft Certified Systems Engineer:
Security
Microsoft Certified Technology Specialist:
Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise
Administrator
Microsoft Certified IT Professional: Server Administrator
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 4:18pm
Probably auto enroll is configured.
http://technet.microsoft.com/en-us/library/cc731522.aspx
http://technet.microsoft.com/en-us/magazine/2006.05.howitworks.aspx
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
September 1st, 2011 7:43pm
1) Auto-enroll is NOT CONFIGURED in the default domain policy and among other GPOs applied to the domain, nothing was defnied. I think not configured probaly is disable...
2) The Basic EFS template does not have "autoenrool", only "enroll" security action and ONLY auth users have ONLY READ, not enroll.
It looks like everithing is Ok, but i´ll try to reconfigure the NOT CONFIGURED to DISABLED to see if makes some differecnce
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 7:56pm
Hi,
Please chek if those are certificate server generated certificates or self signed certificates. Without CA server also users can encrypt the data usign self signed certificates
http://webdesign.about.com/od/ssl/a/signed_v_selfsi.htm
September 1st, 2011 9:11pm
AreEnterprise CA certificates, i checked using the serial number and the Issued certificates screen.
besices that, the certificates have a 1-2 years validity and the self-sighed would be a 99-100 years validity and that´s not hte casa.
Today i found a user who encrypted some files (directly in the file server via share or copying files trhough the network.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 11:37pm