If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
New EFS tool available - EFS Certificate Configuration Updater
Following on the heels of the recent release of the EFS Assistant
shared-source tool, I am proud to announce the release of another tool to smooth the path for reliable recovery of EFS'd files: EFS Certificate Configuration Updater (http://www.codeplex.com/ EFSCertUpdater/) __Why should you care?__ - You'll be interested if you're using EFS, and - You've tried to make sure that you (or your users) are using the EFS certificate that was archived (with its private key) in your Microsoft Certificate Server. __What difference will it make?__ - When users need to recover access to *ALL* their EFS'd files, and - When you want to make the process as fast and painless for the users as possible - The copy of the user's archived EFS keys that you extract from your Certificate Server should be (almost) guaranteed to decrypt all the user's encrypted files. There are a number of my customers who expressed concerns that even if they did everything right - enabling Autoenrollment policy, creating "version 2" certificate templates for use with EFS, automatically archiving the user's EFS keypair at enrollment time - there's still no guarantee that the user's PCs were actually *using* those archived EFS keys to encrypt files. Most of the time it works fine, but they told me they'd seen cases whe - users had once tried using EFS, and abandoned it later, but the new EFS certificate didn't replace the pre-existing (non-archived) EFS certificate, so all files continued to be encrypted with an unrecoverable key - users had encrypted files before the PKI was in place, then upgraded their certificate, but their existing encrypted files weren't updated to be encrypted with the new keys No, I'm not trying to panic anyone - like I said, this affects a small fraction of the user population in most wide-scale EFS deployments. However, it's an issue I've heard over and over again, and this tool should help folks get on with their deployments. __How does it work?__ - The tool works strictly at the command line - it presents no UI - It searches through all the EFS certificates the user has in their personal certificate store (aka the "MY store") - It keeps searching until it finds a certificate that (a) is still valid, (b) is not self-signed, (c) has an associated private key, and (d) has the EFS EKU - Once it identifies a suitable certificate, it checks whether that is the currently-configured certificate; if not, then it updates the CertificateHash registry setting and quits - Oh, and it generates a log file of its activity __What does it require?__ - .NET 2.0 - XP or Vista (only been tested on XP so far) - it doesn't require Admin rights, but I bet it'd barf if it ran under DropMyRights __How often would I have to use this tool?__ - In theory, once - All you really need is to get the user *off* their self-signed certificate, and encrypting with the v2 certificate - From there, Autoenrollment should be able to keep renewing EFS certificates with no failures - unless the user's PC is off the company network for months at a time __What's next for the EFS Cert Updater?__ - Do some further robustness testing to see if there are any circumstances under which non-v2 EFS certs could be selected - Add a command-line parameter to specify an exact Certificate Template from which the selected EFS cert must be enrolled - Enable a capability to archive (i.e. hide) all other EFS certificates except the selected one - Add capability to write to the Application Event Log - Enable a capability to select the "best" EFS certificate if multiple are found Please browse the web site, leave some feedback or questions, and give it a spin. All assistance is greatly appreciated. Cheers, Mike Smith-Lonergan http://www.codeplex.com/EFSCertUpdater http://paranoidmike.blogspot.com/ |
Ads |
#2
|
|||
|
|||
New EFS tool available - *SPAM*
wrote:
spam Malke -- Elephant Boy Computers www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User |
#3
|
|||
|
|||
New EFS tool available - *SPAM*
Malke - you are talking BULL ****
I was exactly looking for such an EFS Tool! "Malke" schrieb im Newsbeitrag ... wrote: spam Malke -- Elephant Boy Computers www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User |
#4
|
|||
|
|||
New EFS tool available - *SPAM*
On Fri, 17 Aug 2007 05:57:13 -0700, Malke wrote:
wrote: spam You need to get a grip. Mike Smith-Longergan, until fairly recently, was one of the security gurus at Microsoft and when it comes to EFS, he definitely knows what he's talking about. As someone who deploys enterprise PKI solutions, with a number of large scale EFS deployments under my belt, I can tell you Malke that this is anything but SPAM. Did you even check the link before you posted your knee-jerk reaction? AS the first sentence on the CodePlex home page states; "CodePlex is Microsoft's open source project hosting web site". Fixing mom and dad's computers for a living doesn't give you the right to make these kind of judgement calls, especially when you clearly don't know what you're talking about. You owe Mike an apology. |
#5
|
|||
|
|||
New EFS tool available - *SPAM*
Is advertising a free utility to an audience who might find a use for it
spam? No I wouldn't think so. Only thing is, the bugs he mentions just tend to confirm my thoughts that anyone who uses EFS is taking an insane risk. Reliable security is that in which the key is tested regularly, by way of actually and deliberately using that key. That way, you know if the key works or not. Issue with EFS is that you never really know what key (if any key!) is being used. Until it breaks, that is. Then, you get to keep both pieces. |
#6
|
|||
|
|||
New EFS tool available - *SPAM*
"Paul Adare" wrote in message
. .. Malke wrote: wrote: spam You need to get a grip. Mike Smith-Longergan snip - Mike's personal history - irrelevant to spam/ham determination snip - Paul's personal history - irrelevant to spam/ham determination Did you even check the link before you posted your knee-jerk reaction? I did visit the page. That the tool is free and written or [co]developed by a non-spammer is irrelevant regarding the spam/ham determination of his *post*. As the first sentence on the CodePlex home page states; "CodePlex is Microsoft's open source project hosting web site". I wouldn't want to see every open-sourced project on sourceforge.net spammed here, either. Fixing mom and dad's computers for a living doesn't give you the right to make these kind of judgement calls, Also irrelevant to the spam/ham determination of Mike's post. The effectiveness and usability of the product is irrelevant to the actual post. The post is not the product. Mike wanted to let the community know about his new tool. Seems like putting it in his signature when he actually is submitting a non-spam post would be just as effective but would probably delay when he could announce it. You owe Mike an apology. So is the only consideration as to whether or not a post is spam based solely on whether the product or service it attempts to proliferate is free or not? I don't ever recall that the cost of a product or service was a criteria to identify spam (in newsgroups). Repeated off-topic fanatic religious posts are spam but are not begging for any monies. Since what they proffer is free then it must not be spam? Didn't think so. Yes, it may be a good tool; however, would you want to see the newsgroups littered with posts regarding every free utility from Microsoft or every free utility that anyone anywhere has created? There are newsgroups devoted for spewing out posts on free stuff. I wasn't aware that this newsgroup was one of them. Stop confusing spam as always having to do with someone trying to get money. Every user of Teranews' free NNTP server is spamming due to the signature that Tera slaps onto every one of those users' posts. Every outbound e-mail sent through a free Hotmail or Yahoo Mail account is spam because of a promotional signature that gets appended. Just because those services are free doesn't magically alter that they are spamifying every post or e-mail sent through them. Hawking your product, especially when unsolicited, is also spam regardless that it is free, regardless that it is useful, and regardless of who wrote it. Would you really want to see this newsgroup inundated with posts for every free [security] program out there? |
#7
|
|||
|
|||
New EFS tool available - *SPAM*
"Vanguard" wrote: So is the only consideration as to whether or not a post is spam based solely on whether the product or service it attempts to proliferate is free or not? I agree, it's a gray area. Fixing mom and dad's computers for a living doesn't give you the right to make these kind of judgement calls.. Also agree that there can sometimes be too much big-network guy snobbery in here. Fixing home computers for a living can be a very much more challenging job than running a corporate helpdesk, which by comparison is a relatively static, tightly-disciplined and predictable environment. |
#8
|
|||
|
|||
New EFS tool available - *SPAM*
What are you trying to achieve here?
Lot's of people on this newsgroup genuinely appreciate the time and attention that people like Paul Adare give to supporting us IT pros who are sometimes just a little bit out of our depth and hugely respect the experience and knowledge he imparts. Your smug, schoolboy flame is enough to make us wanna puke. |
#9
|
|||
|
|||
New EFS tool available - *SPAM*
david.wozny wrote:
What are you trying to achieve here? Lot's of people on this newsgroup genuinely appreciate the time and attention that people like Paul Adare give to supporting us IT pros who are sometimes just a little bit out of our depth and hugely respect the experience and knowledge he imparts. Your smug, schoolboy flame is enough to make us wanna puke. This thread has many responders over the last 7 days. We have *no idea* who your response is actually aimed at. Please clarify whom you are addressing and for what. Entire Thread: http://groups.google.com/group/micro...643c4f91335819 -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#10
|
|||
|
|||
New EFS tool available - *SPAM*
On Thu, 23 Aug 2007 18:16:08 -0500, Shenan Stanley wrote:
This thread has many responders over the last 7 days. We have *no idea* who your response is actually aimed at. Please clarify whom you are addressing and for what. Who is "we" exactly? I'd thought that given the threaded nature of NNTP discussions groups it should be pretty obvious that Don's response was aimed at the person to whose post he responded. -- Paul Adare MVP - Virtual Machines http://www.identit.ca People who deal with bits should expect to get bitten. -- Jon Bentley |
#11
|
|||
|
|||
New EFS tool available - *SPAM*
Shenan Stanley wrote:
This thread has many responders over the last 7 days. We have *no idea* who your response is actually aimed at. Please clarify whom you are addressing and for what. Paul Adare wrote: Who is "we" exactly? I'd thought that given the threaded nature of NNTP discussions groups it should be pretty obvious that Don's response was aimed at the person to whose post he responded. I notice you included who you were responded to as well as WHAT you were responding to... Any reason? Don't you normally reply in this manner - with some remnant of what you are responding to *in* your response? As for who the "we" is - as you may know - the newsgroups are replicated across MANY MANY news servers across the globe. Some of these news servers erase messages at a steady pace - so that a reply without any reference to the original posting may exist on some newsgroups. There are many times people will only see the reply to a post and not the original question on the news server of their choice because of said replication - that is why it is generally accepted that in a newsgroup post you maintain some remnants of what you are responding to for such occurrences. Therefore - it is likely that someplace on some new server - someone only sees Don's response and NOTHING of the thread before that. Another reason that I posted the Google groups link to the entire thread. So that it might make sense to people who might not be using a news server where they see everything OR they are using a newsreader whose settings might only get so many days back of posts, etc. Just because you are not a part of the "we" does not mean the "we" does not exist. ;-) Entire Thread: http://groups.google.com/group/micro...643c4f91335819 -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#12
|
|||
|
|||
New EFS tool available - *SPAM*
On Thu, 23 Aug 2007 19:30:38 -0500, Shenan Stanley wrote:
Just because you are not a part of the "we" does not mean the "we" does not exist. ;-) The use of "we" in a forum like this is presumptuous and arrogant. You are entitled to your opinion, you're not entitled to pass it off as that of others. -- Paul Adare MVP - Virtual Machines http://www.identit.ca Binary: Possessing the ability to have friends of both sexes. |
#13
|
|||
|
|||
New EFS tool available - *SPAM*
Shenan Stanley wrote:
This thread has many responders over the last 7 days. We have *no idea* who your response is actually aimed at. Please clarify whom you are addressing and for what. Paul Adare wrote: Who is "we" exactly? I'd thought that given the threaded nature of NNTP discussions groups it should be pretty obvious that Don's response was aimed at the person to whose post he responded. Shenan Stanley wrote: I notice you included who you were responded to as well as WHAT you were responding to... Any reason? Don't you normally reply in this manner - with some remnant of what you are responding to *in* your response? As for who the "we" is - as you may know - the newsgroups are replicated across MANY MANY news servers across the globe. Some of these news servers erase messages at a steady pace - so that a reply without any reference to the original posting may exist on some newsgroups. There are many times people will only see the reply to a post and not the original question on the news server of their choice because of said replication - that is why it is generally accepted that in a newsgroup post you maintain some remnants of what you are responding to for such occurrences. Therefore - it is likely that someplace on some new server - someone only sees Don's response and NOTHING of the thread before that. Another reason that I posted the Google groups link to the entire thread. So that it might make sense to people who might not be using a news server where they see everything OR they are using a newsreader whose settings might only get so many days back of posts, etc. Just because you are not a part of the "we" does not mean the "we" does not exist. ;-) Entire Thread: http://groups.google.com/group/micro...643c4f91335819 Paul Adare wrote: The use of "we" in a forum like this is presumptuous and arrogant. You are entitled to your opinion, you're not entitled to pass it off as that of others. No. I pointed out quite clearly that your assumption that there is not more than one person who might not know what you are referring to is likely to be incorrect. "We" is being used to represent the fact that more than one person might not be able to see the entire thread and that *I* might just be *one* of those *we*. I pointed out the facts of replication and deletion of posts and how some newsreaders (people in this usage of the word) might not be able to see the entire thread. My use of the word "we" was nothing more than a shortening of "some people of which I might be one of" in this case. If you took at as anything else - I apologize for the misunderstanding. But - as you said - you are entitled to your opinions... and interpretations. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#14
|
|||
|
|||
New EFS tool available - *SPAM*
On Thu, 23 Aug 2007 22:03:19 -0500, Shenan Stanley wrote:
If you took at as anything else - I apologize for the misunderstanding. Cool. Since we're (you and I) are so far off topic we (you and I) should probably drop this now. -- Paul Adare MVP - Virtual Machines http://www.identit.ca Remember the good old days, when CPU was singular? |
#15
|
|||
|
|||
New EFS tool available - *SPAM*
Shenan Stanley wrote:
This thread has many responders over the last 7 days. We have *no idea* who your response is actually aimed at. Please clarify whom you are addressing and for what. Paul Adare wrote: Who is "we" exactly? I'd thought that given the threaded nature of NNTP discussions groups it should be pretty obvious that Don's response was aimed at the person to whose post he responded. Shenan Stanley wrote: I notice you included who you were responded to as well as WHAT you were responding to... Any reason? Don't you normally reply in this manner - with some remnant of what you are responding to *in* your response? As for who the "we" is - as you may know - the newsgroups are replicated across MANY MANY news servers across the globe. Some of these news servers erase messages at a steady pace - so that a reply without any reference to the original posting may exist on some newsgroups. There are many times people will only see the reply to a post and not the original question on the news server of their choice because of said replication - that is why it is generally accepted that in a newsgroup post you maintain some remnants of what you are responding to for such occurrences. Therefore - it is likely that someplace on some new server - someone only sees Don's response and NOTHING of the thread before that. Another reason that I posted the Google groups link to the entire thread. So that it might make sense to people who might not be using a news server where they see everything OR they are using a newsreader whose settings might only get so many days back of posts, etc. Just because you are not a part of the "we" does not mean the "we" does not exist. ;-) Entire Thread: http://groups.google.com/group/micro...643c4f91335819 Paul Adare wrote: The use of "we" in a forum like this is presumptuous and arrogant. You are entitled to your opinion, you're not entitled to pass it off as that of others. Shenan Stanley wrote: No. I pointed out quite clearly that your assumption that there is not more than one person who might not know what you are referring to is likely to be incorrect. "We" is being used to represent the fact that more than one person might not be able to see the entire thread and that *I* might just be *one* of those *we*. I pointed out the facts of replication and deletion of posts and how some newsreaders (people in this usage of the word) might not be able to see the entire thread. My use of the word "we" was nothing more than a shortening of "some people of which I might be one of" in this case. If you took at as anything else - I apologize for the misunderstanding. But - as you said - you are entitled to your opinions... and interpretations. Paul Adare wrote: Cool. Since we're (you and I) are so far off topic we (you and I) should probably drop this now. Agreed. Considering it dropped. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
Thread Tools | |
Display Modes | |
|
|