security with windows server 2003

8/7/2019 Security With Windows Server 2003

http://slidepdf.com/reader/full/security-with-windows-server-2003 1/17

Microsoft ® Virtual Labs

Security with Windows Server2003



2 Security with Windows Server 2003

Table of Contents

Securi ty with Windows Server 2003 ......................................................................................................3

Exercise 1 PKI - User Certificate Autoenrollment ........................................................................................... 4

Exercise 2 PKI - Private Key Archival and Recovery....................................................................................10



Security with Windows Server 2003 3

Security with Windows Server 2003

Objectives After completing this lab, you will be able to:

Install an Enterprise Certification Authority (CA) and configure certificate

autoenrollment for users.

Configure the Enterprise Certification Authority (CA) to implement private

key archival and recovery.

Scenario In Windows® Server™ 2003 Active Directory® has improvements in such

areas as performance, management and usability. Over the course of the next

hour, we will step through some of the improvements available through the

Certificate Authority component.

Windows Server 2003 extends the range of properties that can be configured in

a Version 1 template. These extensions include the ability to:

Create new certificate templates

Copy existing templates

Supersede templates already in use

Using Windows Server 2003, Version 2 templates can be edited to meet the

needs of an application or the enterprise. When a Version 1 template is copied,

it is automatically updated and becomes a Version 2 template.

Using Group Policy settings combined with Version 2 certificate templates

enables users to be automatically enrolled for user-type certificates when they

log on. Automatic enrollment of user certificates is quick and simple and

enables PKI applications within an Active Directory environment.

Estimated tim e tocomplete this lab: 60minutes




Computers used in this Lab:

Paris

Madrid

Exercise 1PKI - User Certificate Autoenrollment

ScenarioIn this exercise, we will install an Enterprise Certification Authority (CA). We will look at new

functionality in Windows Server 2003 that allows us to configure certificate autoenrollment for

users.

Complete this Exercise using:

Paris

Madrid

Tasks Detailed steps

Complete the following 3 tasks

on:

Paris

1. In order to show user

certificate autoenrollment in

Windows Server 2003, we

must install the new version

2 certificate templates byopening the Certificate

Templates console.

a. Click Start | Run.

b. In the Run dialog box, type certtmpl.msc and click OK.

Info: Certtmpl.msc is a predefined Microsoft Management Console (MMC)

file for the Certificate Templates snap-in.

c. When the Certificate Templates message box appears, click Yes to

confirm that you want to install new certificate templates.

Info: In a new or upgraded Windows Server 2003 forest, the first

Enterprise Administrator that opens the Certificate Templates console is

prompted to install new certificate templates. This updates the permissions

on existing certificate templates, and adds new certificate templates in

Active Directory. The installation of an Enterprise CA also installs the new

certificate templates.

d. Click OK to confirm that Windows successfully installed the new

certificate templates.

e. In Certificate Templates, right-click the Basic EFS certificate

template and click Properties.

Info: Basic EFS is one of the version 1 certificate templates. These are

compatible with Windows 2000 CAs. Configuration settings of a version 1




certificate template, except the permissions on the Security tab, cannot be

changed.

f. Click Cancel to close the Basic EFS Properties dialog box.

g. Right-click the Directory Email Replication certificate template, and

click Properties.

Info: Directory Email Replication is one of the version 2 certificate

templates. These are not compatible with Windows 2000 CAs. Version 2

certificate templates can be edited, can be autoenrolled to users (if

applicable) and can be configured to archive the encryption private key on

the Request Handling tab.

h. Click Cancel to close the Directory Email Replication Properties

dialog box.

2. Now we will create a new

template configured for

autoenrollment based on the

basic EFS template.

a. In the Certificate Templates console, right-click the Basic EFS

certificate template and click Duplicate Template.

b. In the Properties of New Template dialog box, in the Templatedisplay name text box type EFS Advanced.

c. In the Properties of New Template dialog box, in the Template name

text box type EFS2, click Apply and click OK.

Note: EFS Advanced is a new version 2 certificate template. The current

"configuration" version number of the new certificate template is 100.2.

d. Right-click the EFS Advanced certificate template and click

Properties.

Note: You cannot change the template name after it is set.

e. On the General tab, type 2 in the Validity period text box.

Note: A certificate based on this certificate template will expire in two

years. Six weeks before the expiration time, it can be renewed (renewal

period).

f. Click the Extensions tab and ensure that Application Policies is

selected.

Info: The description of the application policies shows that certificates

based on this certificate template can be used for Encrypting File System.

(In Windows 2000 and for version 1 certificate templates, Application

Policies is called Enhanced Key Usage.)

g. Click the Request Handling tab and ensure that the Enroll subjectwithout requiring any user input option is selected.

h. Click the Security tab, select Authenticated Users and, in the

Permissions box, click to select the Allow Read (default), AllowEnroll, and Allow Autoenroll checkboxes.

Info: Autoenrollment of certificates requires the Read , Enroll and

Autoenroll permission.

i. Click Apply. j. Click OK to close the EFS Advanced Properties dialog box.

Note: The configuration version number of the EFS Advanced certificate

template is now 100.3. The Autoenrollment column indicates that the

current configuration of the certificate template allows for autoenrollment.

k. Close Certificate Templates.

3. In order to autoenroll

certificates we must first

configure an authority to

issue those certificates.

a. Click Start | Control Panel and click Add or Remove Programs.

b. In the Add or Remove Programs window, click Add/RemoveWindows Components.

c. In the Windows Components Wizard dialog box, click to select the




Certificate Services check box.

d. When the Microsoft Certificate Services message box appears, click

Yes to confirm that the machine name and domain membership may

not be changed after installing Certificate Services.

e. Click Details.

Info: Both theCA subcomponent and the Web Enrollment Support

subcomponent will be installed. The Web Enrollment Support Web pages

cannot be used until IIS is installed.

f. Click OK to close the Certificate Services dialog box.

g. On the Windows Components screen, click Next.

h. On the CA Type screen, ensure that Enterprise root CA is selected

and click Next.

i. On the CA Identifying Information screen, type Paris CA in the

Common name for this CA box and click Next.

j. On the Certificate Database Settings screen, click Next.

Note: Please wait while Setup installs the CA.

k. When the Microsoft Certificate Services message box appears, click

OK to confirm that Web Enrollment Support will be unavailableuntil IIS is installed.

l. On the Completing the Windows Components Wizard screen, click

Finish.

m. Close Add or Remove Programs.

Complete the following task

on:

Madrid 4. Now we add the root

certificate for the Paris CA

to the list of Trusted Root

Certification Authorities.

a. In the My Machines browser click Madrid.

b. Click Start | Run.

c. In the Run dialog box, type certmgr.msc and click OK.

Info: Certmgr.msc is a predefined Microsoft Management Console (MMC)

file for the Certificates snap-in for the current user.

d. In Certificates, in the left pane, expand Trusted Root Certification

Authorities and select Certificates.

Note: The status bar shows the number of certificates in this store. In the

right pane, the root certificate for the new Paris CA is not listed yet.

e. Click Start | Run.

f. Type gpupdate.exe /target:computer /force and press Enter.

g. In Certificates, right-click Certificates and click Refresh.

Note: The number of certificates in the Trusted Root Certification

Authorities store has increased. The root certificate for the Paris CA is

listed. Madrid now trusts certificates from the Paris CA.

h. Close Certificates.


on:

Paris

5. We must specifically

configure the CA to issue

EFS Advanced certificates.

a. In the My Machines browser click Paris.

b. Click the Start | Administrative Tools | Certification Authority.

c. In the left pane, expand Paris CA and select Certificate Templates.

Note: The right pane lists the certificate templates for which the Paris CA

issues certificates.

d. Right-click Certificate Templates point to New and click CertificateTemplate to Issue.

e. In the Enable Certificate Templates dialog box, select EFSAdvanced and click OK.

Note: The Paris CA can now issue certificates for the EFS Advanced




certificate template.

f. Close the Certification Authority console.

6. We will now configure

Group Policy to enable

autoenrollment for all users.

a. Click Start | Administrative Tools and click Group PolicyManagement.

b. In Group Policy Management, expand Forest: contoso.com |Domains | contoso.com.

c. Right-click the Default Domain Policy link and click Edit.

Note:Iin the next step, ensure that you select User Configuration , and not

Computer Configuration.

d. In the Group Policy Object Editor, under User Configuration,

expand Windows Settings | Security Settings and in the left pane

select Public Key Policies.

e. In the right pane, right-click Autoenrollment Settings and click

Properties.

f. In the Autoenrollment Settings Properties dialog box, click to select

the Renew expired certificates and the Update certificates that usecertificate templates checkboxes and click OK.

g. Close the Group Policy Object Editor.h. Close Group Policy Management.


on:

Madrid 7. Let’s see the effect of the

GPO we just modified by

using gpupdate to test the

autoenrollment of the EFS

Advanced user certificate.


b. Click Start | Run.

c. In the Run dialog box, type certmgr.msc and click OK.

d. In Certificates, in the left pane, select Personal.

Info: The status bar shows that the Personal store contains no certificates.

Normally, autoenrollment of user certificates happens at user logon and

every 8 hours thereafter. It can be triggered manually by using gpupdate ,

or the Automatically Enroll Certificates task in the Certificates console.

e. Click Start | Run.

f. Type gpupdate.exe /target:user /force and press Enter.

g. In Certificates, right-click Personal and click Refresh.

Note: Madrid is generating a new public and private key pair to use for

the certificate. It may take a minute before the autoenrollment certificate

shows up in the Personal store. You may have to repeat the Refresh

command before you can expand Personal .

h. Expand Personal and select Certificates in the left pane.

i. In the right pane, right-click the certificate that is issued to

Administrator by Paris CA and click Open.

j. In the Certificate dialog box, click the Details tab, scroll down and

select the Certificate Template Information field.

Note: The certificate is based on the EFS Advanced certificate template,configuration version 100.3.

k. Click OK to close the Certificate dialog box.

l. Close Certificates.


on:

Paris

8. Now we will set up our OU

and a user to show a

a. In the My Machines browser click Paris.

b. Click Start | Administrative Tools and click Active Directory Usersand Computers.

c. In the Active Directory Users and Computers console, expand

contoso.com.




Certificate use situation. d. Right-click contoso.com, point to New and click Organizational Unit.

e. In the New Object - Organizational Unit dialog box, type PKI OU

and click OK.

f. Right-click PKI OU, point to New and click User.

g. In the New Object - User dialog box, type Eric in the First name and

User logon name boxes and click Next.

h. In the next New Object - User dialog box, type Password1 in the

Password and Confirm password boxes, click to deselect the Usermust change password at next logon checkbox and click Next.

i. In the final New Object - User dialog box, click Finish.

Note: Eric will be the EFS user whose private encryption key needs to be

recovered later in the lab.

j. Close Active Directory Users and Computers.


on:

Madrid

9. We need to give our newuser permission to use

Remote Desktop and log on

as that user.

a. In the My Machines browser click Madrid

b. Click Start, right-click My Computer and click Properties.

c. Click the Remote tab and click to select the Allow users to connectremotely to this computer check box.

d. Click OK in the Remote Sessions dialog box.

e. Click Select Remote Users.

f. Click Add.

g. Type contoso\Eric and click Check Names.

h. Click OK.

i. Click OK to close the Remote Desktop Users dialog box.

j. Click OK to close System Properties.

k. Click Start | Log Off .

l. In the Log Off Windows message box, click Log Off to confirm that

you want to log off.

m. Press Right-ALT + DEL.n. In the Log On to Windows dialog box, type Eric in the User name

box and Password1 in the Password box and click OK to log on.

10. Use the Certificates console

to verify the autoenrollment

of an EFS Advanced

certificate for Eric.


b. In the Run dialog box, type certmgr.msc and click OK.

c. In Certificates, expand Personal and select Certificates in the left

pane.

Note: You may need to refresh the Personal container. As we saw above,

the new user is autoenrolling.

d. Right-click the certificate issued to Eric by Paris CA and click Open.

e. In the Certificate dialog box, click Details, scroll down and select the

Certificate Template Information field.

Note: The certificate is based on the EFS Advanced certificate template,

configuration version 100.3.

f. Scroll down to the bottom and select the Thumbprint field.

Info: The thumbprint of the certificate is used to identify the certificate

when encrypting a file. Remember the first two numbers(numbers and/or

letters) on the first row to compare with the encrypted file in the next steps.

g. Click OK to close the Certificate dialog box.

h. Close Certificates.




11. Now we will encrypt a file

using the autoenrolled

certificate.

a. Click Start | My Documents.

b. In the My Documents folder, right-click the empty space, point to

New and click Text Document.

c. In the New Text Document text box, type Plan2004 and press Enter.

d. Right-click Plan2004 and click Properties.

e. In the Plan2004 Properties dialog box, click Advanced.

f. In the Advanced Attributes dialog box, click to select the Encrypt

contents to secure data check box and click OK.

g. Click Apply.

h. In the Encryption Warning dialog box, click to select the Encrypt

the file only radio button and click OK.

i. Click Advanced.

j. In the Advanced Attributes dialog box, click Details.

Info: The certificate thumbprint is that of the autoenrolled EFS Advanced

certificate.

k. Click Cancel to close the Encryption Details dialog box.l. Click OK to close the Advanced Attributes dialog box.

m. Click OK to close the Plan2004 Properties dialog box.

n. Double-click Plan2004.

o. In Notepad, type 4% salary raise.

p. Click File | Save.

q. Close Notepad.

r. Close My Documents.




Exercise 2PKI - Private Key Archival and Recovery

ScenarioIn this exercise, we will configure the Certification Authority (CA) to implement private keyarchival and recovery. Using a key recovery agent in conjunction with properly configured

certificates that are easy to reenroll to users, we will see how to recover files encrypted with “lost”

keys.

Complete this Exercise using:

Paris

Madrid

Tasks Detailed steps


on:

Paris

1. Now we will create a user to

function as a key recovery

agent.

a. In the My Machines browser click Paris

b. Click Start | Administrative Tools and click Active Directory Usersand Computers.

c. In the Active Directory Users and Computer console, right-click

PKI OU, point to New and click User.

d. In the New Object - User dialog box, type Kim in the First name and

User logon name boxes and click Next.

e. In the next New Object - User dialog box, type Password2 in thePassword and Confirm password boxes, click to deselect the Usermust change password at next logon checkbox and click Next.

f. In the final New Object - User dialog box, click Finish.

Note: Kim will be the Key Recovery Agent who can recover private

encryption keys.

g. Right-click PKI OU, point to New and click Group.

h. In the New Object - Group dialog box, type Key Recovery Agents in

the Group name box and click OK.

i. Click Kim to change the selection.

j. Right-click Kim and click Add to a group.

k. In the Select Group object picker, in the Group Name field, type KeyRecovery Agents and click OK.

l. Click OK to confirm that the Add to Group operation was

successfully completed.

m. Close the Active Directory Users and Computers console.

2. In order for Kim to recover

lost keys, we need to

configure a Key Recovery

Agent certificate template

so that she can request a



c. In Certificate Templates, right-click the Key Recovery Agent certificate template and click Properties.

d. In the Key Recovery Agent Properties dialog box, click the Security




Agent certificate for Kim. b. In the Run dialog box, type certmgr.msc and click OK.

c. In Certificates, right-click Personal, point to All Tasks and click

Request New Certificate.

d. On the Welcome to the Certificate Request Wizard screen, click

Next.

e. On the Certificate Types screen, select the Key Recovery Agent

certificate type and click Next.

f. On the Certificate Friendly Name and Description screen, in the

Friendly name text box, type Key Recovery Certificate and click

Next.

g. On the Completing the Certificate Request Wizard screen, click

Finish.

h. Click OK to confirm that the certificate request was successful.

Note: Kim has successfully requested a Key Recovery Agent certificate.

The private key for this certificate is used to decrypt archived encryption

keys later.

i. In Certificates, expand Personal and, in the left pane, select

Certificates.

Note: In the right pane, the autoenrolled EFS Advanced certificate for

Kim and the requested Key Recovery Agent certificate are listed. You may

need to refresh the Personal container or scroll to the right.

j. Close Certificates.


on:

Paris

6. Now that we have a

recovery agent and a

certificate template, we

must configure the CA toenable key recovery.

a. In the My Machines browser click Paris

b. In Certification Authority, right-click Paris CA and click Properties.

c. In the Paris CA Properties dialog box, click Recovery Agents, click

to select the Archive the key radio button and click Add.

d. In the Key Recovery Agent Selection dialog box, select the KeyRecovery Agent certificate that is issued to Kim and click OK.

Note: The current status of the certificate is Not loaded .

e. Click OK to close the Paris CA Properties dialog box.

f. Click Yes to confirm that you want to restart Certificate Services now.

g. Right-click Paris CA and click Properties.

h. In the Paris CA Properties dialog box, click Recovery Agents.

Note: The current status of the certificate is Valid .

Info: TheCA will use the public key of this certificate to encrypt the

private encryption key for any certificate request that includes key archival.

i. Click Cancel to close the Paris CA Properties dialog box.

j. Close Certification Authority.

7. We also need to configure

our encryption certificate to

allow for the use of a

recovery agent and allow

users to reenroll the

certificate.



Note: The current configuration version number of the EFS Advanced

certificate template is 100.3.

c. In Certificate Templates, right-click the EFS Advanced certificate

template and click Properties.

d. In the EFS Advanced Properties dialog box, click RequestHandling, click to enable the Archive subject's encryption privatekey check box, click Apply and click OK.

Note: The current configuration version number is increased to 100.4.




e. Right-click the EFS Advanced certificate template and click ReenrollAll Certificate Holders.

Note: The current configuration version number is increased to 101.0.

Info: An increase in the major version number (from 100 to 101) causes all

certificate holders to renew the certificate before the configured renewal

period.

f. Close Certificate Templates.


on:

Madrid 8. Now we will log on as our

certificate user so that we

can reenroll his EFS

certificate.


b. Click Start | Log Off .

c. In the Log Off Windows message box, click Log Off to confirm that


d. In the Log On to Windows dialog box, type Eric in the User name


9. We use the Certificates

console to verify the

autoenrollment of the newversion (101.0) of the EFS

Advanced certificate for

Eric.



c. In the Certificates console, expand Personal and, in the left pane,select Certificates.

d. Right-click Certificates and click Refresh.

e. Right-click the certificate issued to Eric by Paris CA and click Open.

f. In the Certificate dialog box, click Details, scroll down and select the

Certificate Template Information field.

Note: The certificate is based on the EFS Advanced certificate template,

configuration version 101.0. If the configuration version is still 100.3 , click

OK to close the Certificate dialog box, and repeat the steps starting with

the Refresh command again.

g. Scroll down and select the Thumbprint field.

Note: The thumbprint of the certificate is not the same as the one used toencrypt the Plan2004 text document earlier.

h. Scroll up and select the Public key field.

Note: This is the public key of the new certificate. Remember the

right-most two numbers on the first row to compare with the original

public key in the next steps. (The left-most two numbers are always 30 81.)

i. Click OK to close the Certificate dialog box.

j. In Certificates, in the left pane, select Certificates - Current User.

k. Right-click Certificates - Current User, point to View and click

Options.

l. In the View Options dialog box, click to select the Archived

certificates check box and click OK.m. Expand Personal and, in the left pane, select Certificates.

Note: In the right pane, both the current and the archived certificates for

Eric are listed.

Info: The use of the term "archived" here means that a newer certificate is

enrolled. It is unrelated to private key archival in the Certificate Authority.

n. In the right pane, scroll to the right, right-click the Encrypting FileSystem certificate that has the letter A (archived) in the Status column

and click Open.

o. In the Certificate dialog box, click Details, select the Public key field.




Note: The public key, and thus the private key, for the archived certificate

(version 100.3) is not the same as the one in the new certificate (version

101.0). The public key in the archived certificate is the key that was used to

encrypt the Plan2004 text document.

p. Click OK to close the Certificate dialog box.

10. Before we “lose” Eric’s

private key, we want verify

that we can still read the

contents of the Plan2004

text document.


b. In the My Documents folder, double-click Plan2004.

Note: Even though the certificate has changed, Notepad opens the

Plan2004 file and displays the content.

c. Close Notepad.

d. Right-click Plan2004 and click Properties.

e. In the Plan2004 Properties dialog box, click Advanced.

f. In the Advanced Attributes dialog box, click Details.

Note: Explorer has automatically updated the certificate thumbprint to

that of the new EFS Advanced certificate. The archived certificate was

used to access the file encryption key, which is now encrypted with the new

certificate.

Info: You can use the cipher.exe /ucommand to update all encrypted files.

g. Click Cancel to close the Encryption Details dialog box.

h. Click OK to close the Advanced Attributes dialog box.

i. Click OK to close the Plan2004 Properties dialog box.

j. Close the My Documents folder.

11. Use the Certificates

console, to “lose” the EFS

private key for Eric.

a. Scroll right, right-click the latest Encrypting File System certificate

and click Delete.

b. Click Yes to confirm deletion.

c. Right-click the Encrypting File System certificate that has the letter A

in the Status column and click Delete.

d. Click Yes to confirm deletion.

e. Close the Certificates console.

12. We need to log off and log

back on to make sure that

the certificate has been

“lost” from the cached

certificates.

a. Click Start | Log Off .

b. In the Log Off Windows message box, click Log Off to confirm that


Note: WhenEric is logged off, cached certificates are removed.

c. Press Right-ALT + DEL.



Note: Autoenrollment automatically provides Eric with a new EFS

Advanced certificate, but this one cannot be used to access previously

encrypted files.

13. In the My Documents

folder, verify that you can

no longer access the


text document.



Note: You are not able to decrypt the contents of the Plan2004 file.

Notepad displays a messages box stating that access is denied.

c. Click OK to confirm that access is denied.

d. Close Notepad.

e. Close the My Documents folder.

Complete the following 3 tasks a. In the My Machines browser click Paris.




on:

Paris

14. In the next steps the Key

Recovery Agent is used to

restore the lost private key

for Eric. This is different

than using the Data

Recovery Agent to just

reinstate access to the

contents (data) of the

encrypted Plan2004 file.

First we use the CA to

obtain the serial number for

the archived private key of

Eric's EFS Advanced

certificate.

b. Click Start | Administrative Tools and click Certification Authority.

c. In the Certification Authority console, expand Paris CA and select

Issued Certificates.

d. Right-click Issued Certificates, point to View and click Add/RemoveColumns.

e. In the Add/Remove Columns dialog box, in the Available columns

list box, select Archived Key and click Add.

f. In the Displayed columns list box, ensure that Archived Key is

selected and click Move Up until it is the third column in the list (after

Request ID and Requester Name).

g. Click OK to close the Add/Remove Columns dialog box.

Note: The valueYes in the Archived Key column indicates that the private

key for this certificate is archived on the CA.

h. Right-click the first EFS Advanced certificate that is requested by

CONTOSO\Eric and has an archived private key and click Open.

i. In the Certificate dialog box, click Details and select the Serialnumber field.

j. Press Tab to select the serial number in the text box.k. Press CTRL+c to copy the selected serial number to the clipboard.

l. Click OK to close the Certificate dialog box.

15. Use the certutil –getkey

command to retrieve the

archived private key

recovery blob into the file

C:\erickey.blob.

a. Click Start | Command Prompt.

b. Type cd \ and press Enter.

c. At the C:\> prompt, type certutil.exe -getkey ", right-click in the black

window area, click Paste and type " erickey.blob and press Enter.

Note: The-getkey command retrieved the archived private key for Eric

and saved it with the certificate in the file C:\erickey.blob. The private key

in the file is still encrypted with the public key of the Key Recovery Agent

certificate of Kim (Recipient Info[0]).

d. Type certutil.exe -recoverkey erickey.blob erickey.pfx and pressEnter.

Note: The last two lines of the output indicate that the -recoverkey

command failed. This is the command that is needed to recover the

encrypted private key from the erickey.blob file, but only the key recovery

agent can decrypt the contents of the file.

16. Transfer the

C:\erickey.blob file to the

C:\keyrecovery folder on

the Madrid computer, so

that Kim can recover the

private key for Eric.

a. Type md \\madrid\c$\keyrecovery\ and the press Enter.

b. Type move erickey.blob \\madrid\c$\keyrecovery\ and press Enter.

c. Close Command Prompt.

d. Close Certification Authority.

Complete the following 5 taskson:

Madrid 17. Now our key recovery agent

needs access to the blob file

we just created. We will log

on with her credentials to

perform necessary

operations.

a. In the My Machines browser click Madrid. b. Click Start | Log Off .

c. In the Log Off Windows message box, click Log Off to confirm that


d. In the Log On to Windows dialog box, type Kim in the User name





18. Now we use the certutil –

recoverkey command to

recover the archived private

key into the password

protected file erickey.pfx.

a. Click Start | All Programs | Accessories | Command Prompt.

b. In the Command Prompt window, type cd \keyrecovery and press

Enter.

c. Type dir and press Enter.

Note: Theerickey.blob file is in the C:\keyrecovery folder.

d. Type certutil.exe -recoverkey erickey.blob erickey.pfx and pressEnter.

e. At the Enter new password: prompt, type Password3 and press Enter.

Note: The cursor will not move when you type the password.

f. At the Confirm new password: prompt, type Password3 and press

Enter.

g. Type dir and press Enter.

Note: The-recoverkey command recovered the archived private key for

Eric and saved it with the certificate in the file erickey.pfx file. The file is

protected with the password Password3.

h. Close Command Prompt.

19. Now we need access as Eric

to recover his private key.

a. Click Start | Log Off .

b. In the Log Off Windows message box, click Log Off to confirm that


c. Press Right-ALT + DEL.



20. Using the Certificates

console we can import the

private key and certificate

from the erikkey.pfx file.



c. In the Certificates console, expand Personal and, in the left pane,

select Certificates.

Note: In the right pane, a new autoenrolled EFS Advanced certificate is

listed.

d. Right-click the EFS Advanced certificate and click Delete.

e. Click Yes to confirm deletion.

f. In the left pane, right-click Certificates, point to All Tasks and click

Import.

g. On the Welcome to the Certificate Import Wizard screen, click Next.

h. On the File to Import screen, type C:\keyrecovery\erickey.pfx in the

File name text box and click Next.

i. On the Password screen, type Password3 in the Password box, click

to select the Mark this key as exportable check box and click Next. j. On the Certificate Store screen, click Next.

Note: The certificates in theerickey.pfx file are placed in the Personal

store.

k. On the Completing the Certificate Import Wizard screen, click

Finish.

l. Click OK to confirm that the import was successful.

Note: Theerickey.pfx file contains the EFS Advanced certificate with the

restored private key and a copy of the Paris CA root certificate.




m. Right-click the Paris CA root certificate and click Delete.

n. Click Yes to confirm that you wish to delete this certificate.

o. Right-click the EFS Advanced certificate and click Open.

Note: You have a (restored) private key that corresponds to this certificate.

p. In the Certificate dialog box, click Details, scroll down and select the

Thumbprint field.

Note: This is the same certificate thumbprint that is listed with the

Plan2004 text document.

q. Click OK to close the Certificate dialog box.

r. Close Certificates.

21. Using the recovered key we

can again access the


text document.



Note: Notepad opens the Plan2004 file. You can read the content of the

file. You have successfully restored the private key that is needed to decrypt

the file.

c. Close Notepad.d. Close the My Documents folder.