Protecting Your Encryption Key Using EFS

EFS (Encrypting File System) is a Microsoft technology that allows a user to encrypt files with his passwords. This means that only the user who encrypted the file will be able to access it, even if it is assigned to other users. If an administrator resets the password on this account, and the account does not change it's own password, than the file will not be recoverable.

You can use EFS to protect your Password Reset Server encryption key. This will allow only a single service account to access the file, and no other user will be able to read the key unless they know the service account password. Below are the steps for encrypting your encryption.config file with EFS.

1. Backup your encryption.config file to a secure location. This is very important for DR recovery purposes. If you lose access to your service account or the server fails, then you will not be able to recover your security policies and questions without a backup of this file.
2. Create a new service account or select an existing one. The service account should initially have privileges to log in to a computer.
3. If you have already installed Password Reset Server and are using Windows Authentication for database access, make sure the Service Account has access to the database.
4. Run the Password Reset Server application pool as this service account. More details can be found at the following KB article.
5. Note that this article was originally written for Secret Server, but it also applies to Password Reset Server: http://support.thycotic.com/KB/a94/running-secret-server-iis-application-pool-with-service.aspx
6. Give the service account full access to your Password Reset Server directory through Windows Explorer if it does not have access already.
7. Log in to your server as the service account.
8. Locate the encryption.config file in your Password Reset Server directory.
9. Right click on this file and click properties.
10. Click the "Advanced..." button on the general tab.
11. Check the "Encrypt contents to secure data" check box.
12. Click "OK" and then "Apply". Select the "Encrypt the file only" option if prompted and click "OK".
13. Log out of Windows and log back in as an administrator. Confirm that the application still works by performing an IIS Reset (start->run->cmd->IISReset) or recycling the application pool. Then, make sure you can still log in.

Article ID: 121, Created On: 10/18/2010, Modified: 10/18/2010