Hi, I am using EFS encryption mechanism of Windows 8.1 to protect some of my scripts and executable files that are used behind the scenes by the operating system. They were secured under native Administrator account. There was another limited account which was prohibited from accessing those files. This limited account is literally the sole means of accessing the system in different workstations, so it is important to make assured of blocking ALL of the potential ways to bypass the security mechanisms and stealing those files. The problem surfaced to show itself after I needed to create another administrator account for doing some privileged tasks. Surprisingly, when I reset the 'Administrator' account using Windows Management Console, the files are still accessible when you enter that account via the new password!. I thought it might be as a result of DRA (EFS data recovery agent) being enabled inadvertently, but I checked the GPO and saw nothing there about DRA. Another thing that I checked for was the certificates permitted to access the EFS encrypted files under the Properties dialog box; but, there was just 'Administrator' certificate which is normally added there by Windows. Any idea about my problem would be welcome. Thanks
Off the top of my head, that's exactly the behavior you'd expect if you have only reset the account password - the account's certificate store, including the EFS certificate will remain untouched, it's not affected by whatever the account password is. Therefore the files encrypted with it will remain "openable". However, they should not be accessible from another account (whether standard or administrator) unless you've exported the certificate to that account's store, or signed the file with multiple certificates. By all means clarify if I've not understood.
Hi deBoetie, As stated in this link "http://superuser.com/questions/767239/accessing-efs-encrypted-files-after-resetting-windows-password" and in the ending paragraphs, when you change the password in the normal way (i.e, using the old and new password), you may have access to your files with no problem. The case get bad when the password is reset by any means, and you normally lose the access to the EFS protected files unless you have had an established DRA before. This seems to not happen in my situation, as the files are yet to be available and readable.
Go to "Control Panel - User Accounts" and change it from there. Click on "Manage other account", and in the UAC-dialog use credentials from your second administrator-account. Now click on the Administrator-account whose password you want to change, in your case 'Administrator'. If you now change the password you should see a warning message like: "You are about to change the password. If you continue, you'll lose access to all EFS-encrypted files..."
I think we have stopped at the original point. As I mentioned, I RESET the Administrator's password using my second administrator account, then login into the Windows via the new password. I am able yet to access the old encrypted files. There is no established DRA recovery mechanism, and no other user was added as the permitted user to access the files. This situation is against the aforementioned rules.
