The first order of business was to get an EFS certificate for the machine account. There's probably a fancy way to do this if you have a domain, but I just fired up a SYSTEM command prompt with psexec /s /i cmd.exe. In that prompt, I ran the cipher /e /s:folder with "folder" replaced with the name of the directory containing all the files that needed encryption. That generated an EFS certificate and key for the computer account and then encrypted the directory and its files.
If you're curious, you can examine the machine's certificate store by running certlm.msc. EFS certificates (for all enrolled users) appear under Trusted People. A certificate's thumbprint can be retrieved by opening its properties and looking at the Details tab.
 |
| EFS certificates in certlm.msc |
Then, I needed to grant some users access to the encrypted data. That's rather simple if you have domain; you can use cipher /adduser /user:domain\username /s:folder. If you don't, you'll need to retrieve the certificate thumbprint for the user. In that case, the command is cipher /adduser /certhash:thumbprint /s:folder. If you copy the thumbprint from the certificate management MMC window, you'll need to remove the spaces from between the hexadecimalized bytes.
Now system services can access encrypted files and selected standard users can touch them too.
No comments:
Post a Comment