|
You can have a central set of Data Recovery Agents that are used by laptops even when they are not connected to the network.
Be sure to have your laptop users log onto the domain even when they are on the road. The logon will pause a few seconds then proceed with cached credentials. The public key of the domain DRA is stored in the Registry. Because the user logged onto the domain (from the perspective of Winlogon), EFS running under the user's security context can access the domain DRA key.
It's very, very important that the users don't log onto their local desktop SAM rather than the domain. If they do, then the local Admin account on the Pro desktop will become the DRA for their encrypted files. Also, the password hash from their local SAM account will be used to encrypt the master Crypto key used to encrypt the user's private EFS key. When the user comes back to the office and logs onto the domain, they will not be able to open the files they encrypted while they were logged onto the local SAM.
Even worse, if a bad guy steals the laptop, it's a trivial process to change the local Admin password and use that account to open the encrypted files. File encryption is only secure when the laptop is a member of a domain and the user logs onto the domain account.
|
