4714 Encrypted data recovery policy was changed
Written when the EFS (Encrypting File System) Data Recovery Agent (DRA) policy is changed. It relates to managing the recovery key that can decrypt encrypted files.
Overview
The subcategory is Audit Other Policy Change Events. It is generated when the EFS (Encrypting File System: a Windows feature that transparently encrypts files) Data Recovery Agent (DRA: a recovery certificate/key that can decrypt encrypted files) policy or certificate is changed.
How it is triggered
- When a DRA certificate or DRA policy is changed on the computer/device.
- A change to the EFS recovery policy via Group Policy.
Security review points
- The DRA is a powerful key that can decrypt any file encrypted with EFS. If an attacker adds their own certificate to the DRA, they can read the contents of encrypted files. Investigate an unexpected DRA policy change.
- Conversely, illicit removal of the DRA can create unrecoverable data. Check the direction of the change (add/remove) and the target certificate.
Notes for log review
- It is a rare change. Distinguish legitimate PKI/EFS operational changes from unexpected ones.
- Record the changing subject and target certificate, and reconcile against EFS operational records.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that changed the policy |
| Recovery policy/certificate information | The changed DRA content |
Glossary
- EFS / DRA — EFS is per-file encryption; the DRA is the “recovery key” that can decrypt those encrypted files.