You'll find the certificates of interest under Trusted People. EFS certificates can be managed in the Certificates MMC snap-in you'll need to open the snap-in for the computer (not the user), or just run certlm.msc. You can torch that extra file if you want, the certificate is all ready. Encrypt that file with cipher /e scratch.txt.
The first time a file is encrypted (for any account), an EFS certificate/key is issued.
If you want to give SYSTEM access to already-encrypted files To encrypt a directory, the command is cipher /e /s:, with the target directory name smashed right up against that colon. cipher /e followed by the filename encrypts that file, making it only accessible to SYSTEM. This can be accomplished with the cipher utility that comes with Windows. Use the SYSTEM prompt to encrypt the files. If you want only SYSTEM to have access to the files Therefore, these procedures are only advisable if you're worried about the security of off-site backups, where the machine key is not accessible.
Usually, EFS certificates are protected by a user password, but SYSTEM's password has to be stored on the disk because nobody enters its password. Note that allowing SYSTEM access to an encrypted file means that anybody with physical access to the machine can decrypt that file. From an admin command prompt with psexec.exe accessible, run psexec /s /i cmd.exe to produce a command prompt running as SYSTEM. The only person who can enroll a certificate for SYSTEM is SYSTEM, so you'll need to get PsExec. The SYSTEM account can indeed use EFS, but it doesn't have an EFS certificate by default. This works on every incarnation of Windows since 7 (and probably earlier), and the server versions too.
0 kommentar(er)
