[dba-Tech] Windows 2000/XP native folder/file encryption

Stuart McLachlan stuart at lexacorp.com.pg
Mon Jun 7 07:11:11 CDT 2004 

On 7 Jun 2004 at 13:36, Gustav Brock wrote:

> Hi all
> 
> How secure is this? Or to put it in other words: how likely is it that
> someone picking up a lost laptop can not gain access to the content of
> your encrypted files?
> 

Doubtful security - see below.


> We have a client requesting this level of security but our experience
> with Windows 2000/XP native encryption is nil and we don't want to
> "sell" the client false security.
> 

A better bet for securing data is to use the freeware TrueCrypt 
Get it while you can from http://www.freewebs.com/thinker2004/  
There's currently a dispute going on over the technology between TrueCrypt and 
SecurStar who bought Scramdisk and E4M and turned them into DriveCrypt, so 
www.truecrypt.org is currently down.

or the commercial PGPDisk (freeware if you pick up a version of PGP prior to 
v6.5)

Either of these will create a *very* secure partition or virtual drive on the 
laptop  Just use that drive to store all data. If you don't have the passphrase 
to open the virtual drive, not only can't you access the data, you can't even 
tell that there is any data to be recovered.

As for EFS:

>From http://www.markusjansson.net/exp.html

There is very little reason to use EFS on Win2k standalone installation since 
it does not offer real protection in Windows2k. It is possible to reset the 
administrators passphrase (even with Syskey enabled and stored in floppy) and 
login as admin. This can be done by simply booting the computer in other 
operating system and deleting the SAM file and manipulating the registry so 
that Windows does not want to have Syskey during startup. If Syskey is not 
present, resetting the administrators passphrase is much easier. Administrator 
can do many things and is the default recovery agent of EFS. In any case, once 
you have logged in as admin, you can decrypt all data encrypted with EFS in 
that computer.

    In theory, it *is* possible in standalone Windows 2000 to have secure EFS, 
but it is very, very, very complicated to archive. In theory, by exporting the 
administrators recovery certificate or designating some other recovery agent 
AND implementing Syskey to passphrase or floppy, it *might* be possible to 
prevent anyone from reading EFS encrypted files. It is always possible to login 
as administrator, but if the administrator does not have the recovery keys, he 
cant decrypt EFS files... And since the Syskey *prevents* tampering the other 
accounts, it is in *theory* safe (if hacker deletes SAM file, then other 
accounts loose their vital piece of information and cant be used and therefore 
they cant get access to private key). But in practise...well...who really 
knows? I STRONGLY recommend not to use EFS in Windows 2000 unless the computer 
is a part of domain and the settings/security policies are good and the actual 
computer where the certificates are stored is in safe place so nobody can get a 
physical access to it and Syskey for each computer is stored in passphrase or 
in floppy format. Use PGPdisk instead and you dont have to worry about these 
kinds of issues with Windows 2000!

 
-- 
Lexacorp Ltd
http://www.lexacorp.com.pg
Information Technology Consultancy, Software Development,System Support.

More information about the dba-Tech mailing list