Home > Articles > Home & Office Computing > Microsoft Windows Desktop

  • Print
  • + Share This
From the author of

Don't Shoot Yourself in the Foot

In Windows 2000, Microsoft didn't allow you to encrypt files if there was no DRA. A DRA is an agent that has been issued an X.509v3 certificate and has permissions to decrypt data encrypted by other users. In a domain environment, the domain administrator is the DRA. In Windows 2000 Professional, the built-in local administrator is the DRA. By default, in Windows XP there's no DRA.

The reason that Microsoft didn't allow use of EFS if the DRA was deleted was to protect users from losing important encrypted data. If somehow the private key was lost, DRA could come to the rescue by recovering the files. That was a good thing. The new EFS implementation in Windows XP/2003 doesn't care whether you have a DRA; it lets you encrypt files even if you delete the DRA—or, in case of Windows XP, never create one. Therefore, you need to ensure that you have at least one DRA before you encrypt files. Also, make sure that the DRA is not the account that you normally use to log on and encrypt files.

  • + Share This
  • 🔖 Save To Your Account