Ask the Expert

Can I create a recovery agent to work on multiple Windows XP PCs?

My organization has 12 users who travel frequently with standalone laptops. They never connect to a domain, and each laptop software configuration is different. However, they all use Windows XP Pro as the OS. Is there a way to setup a disaster recover agent (DRA) so that if a laptop dies out, I can remove the hard drive and install it in another computer as a second hard drive and use the DRA to recover encrypted data (ie: EFS)? I'm new to XP security, so I may not be providing all of the information you need.
Unfortunately there is no way to create a recovery agent for EFS that will be the same on multiple Windows XP computers that are not joined to a domain. The XP user accounts are local to each computer, so even if you created an account with the same name on both computers, it would not be recognized as the same account and would not have access to the proper EFS keys.

You do have a couple of choices though. The first and best option is to tutor the users in how to make a backup of the EFS keys and how to make a password recovery disk. If they make the key backup and include the private key, they can import the keys into the certificate store of another account on another Windows XP Professional computer and , presuming their EFS encrypted files are ok, read the files. If they have a password recovery disk, then they may be able to recover from other issues such as a password reset on their XP computer.

The second option, and an option that may be used in addition to option one, is to obtain one of the new EFS recovery applications. These applications claim that if you know the password for the account that encrypted the files, their product can recover the files even if the user profile is messed up. One of the new recovery applications called "Advanced EFS Recovery" is available at www.elcomsoft.com/ (Note: I do not vouch for any of the recovery programs; purchase at your own risk). I'd purchase a couple of these applications after investigation and try them out in your own environment before you have a problem. Please note that they do not "break" EFS encryption; no one could use them to access your users files unless the account password was also known to them. Instead, the applications claim to help when you know the user account and password, and the user profile is damaged (for example, if you reinstall the OS).

This was first published in December 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: