Darren, EFS in Windows 2000 and Windows XP will go someway to meet your needs. You can designate recovery agents who have the ability to decrypt data that someone else encrypted. It is meant as a fail-safe mechanism in case a user forgets their password and has to be reset (which causes certificates and protected secrets in their profile to become inaccessible), or in case a user account is deleted. You could assign a forensic examiner as a recovery agent. I say it goes someway to meet your needs as the certificate and private key created by the EFS standalone CA, or by the Enterprise CA in use (e.g. Certificate Services), is stored in the user's profile and I am not aware of any means to move it onto, say, a smart card and use that for two-factor authentication. To really get the full benefit of EFS you need to use an Enterprise CA. At that point I would advise you just to use Smart Card logons. That should address your two-factor concerns somewhat. I wrote some articles for Security Administrator sometime ago on EFS and Microsoft's Certificate Services. They may be available for anyone to read at www.secadministrator.com, otherwise I am afraid you will have to take out a subscription to get to them. Hope this helps, John Howie CISSP MCSE President, Security Toolkit LLC ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 03:17:42 PST