EFS security

Discussion in 'MCSE' started by Bay, Oct 21, 2003.

  1. Bay

    Bay Guest

    EFS seems safe under NTFS partitions but the it will lose the functionality
    if they are moved to FAT partition? If that is the case, then someone who
    is not recovery agent can decrypt the file by moving the file to FAT
    partition? Just a thought...
    Bay, Oct 21, 2003
    #1
    1. Advertising

  2. Bay

    Marty Guest

    well that's where ntfs permissions come into play, if the person does not
    have rights to open the encrypted file they should not have permissions to
    open the directory where the file is stored, therefore they cannot move the
    files.


    "Bay" <> wrote in message
    news:ig1lb.191708$%h1.185668@sccrnsc02...
    > EFS seems safe under NTFS partitions but the it will lose the

    functionality
    > if they are moved to FAT partition? If that is the case, then someone who
    > is not recovery agent can decrypt the file by moving the file to FAT
    > partition? Just a thought...
    >
    >
    Marty, Oct 21, 2003
    #2
    1. Advertising

  3. Bay

    Bay Guest

    The default settings allow backup operator to backup and restore encrypted
    files even he doesn't have the ntfs permission rights on the directory,
    right? If the backup operator backup the encrypted file and restore it to
    the FAT32 partition, is he able to access the file from that point?

    Secondly, what's the point of encrypting the file if the unauthorized users
    don't have rights to open the directory in the first place when ntfs
    permission comes to play as you said earlier? If the NTFS permission is in
    place (remove the default everything group and the ACL is configured for the
    authorized user only), unauthorized people wouldn't able to login the stolen
    laptop and access the directory. So do you think encrypting files is
    redundant? If the unauthorized person figures out the password and login the
    laptop as the authorized user and he will have access to both directory
    granted by NTFS permission and the encrypted files anyway.

    So it seems to me encrypting file is not really that useful and secured.
    Please correct me if I am wrong because I am kinda confused about the
    usefulness of the EFS feature.




    "Marty" <> wrote in message
    news:KE2lb.63816$-kc.rr.com...
    > well that's where ntfs permissions come into play, if the person does not
    > have rights to open the encrypted file they should not have permissions to
    > open the directory where the file is stored, therefore they cannot move

    the
    > files.
    >
    >
    > "Bay" <> wrote in message
    > news:ig1lb.191708$%h1.185668@sccrnsc02...
    > > EFS seems safe under NTFS partitions but the it will lose the

    > functionality
    > > if they are moved to FAT partition? If that is the case, then someone

    who
    > > is not recovery agent can decrypt the file by moving the file to FAT
    > > partition? Just a thought...
    > >
    > >

    >
    >
    Bay, Oct 21, 2003
    #3
  4. Bay

    Guest Guest


    >-----Original Message-----
    >well that's where ntfs permissions come into play, if the

    person does not
    >have rights to open the encrypted file they should not

    have permissions to
    >open the directory where the file is stored, therefore

    they cannot move the
    >files.
    >
    >
    >"Bay" <> wrote in message
    >news:ig1lb.191708$%h1.185668@sccrnsc02...
    >> EFS seems safe under NTFS partitions but the it will

    lose the
    >functionality
    >> if they are moved to FAT partition? If that is the

    case, then someone who
    >> is not recovery agent can decrypt the file by moving

    the file to FAT
    >> partition? Just a thought...
    >>
    >>

    >
    >
    >.
    >
    Guest, Oct 21, 2003
    #4
  5. Bay

    tenubracon Guest

    "Bay" <> wrote in message news:<ig1lb.191708$%h1.185668@sccrnsc02>...
    > EFS seems safe under NTFS partitions but the it will lose the functionality
    > if they are moved to FAT partition? If that is the case, then someone who
    > is not recovery agent can decrypt the file by moving the file to FAT
    > partition? Just a thought...




    Not surprisingly, MS thought of this one. In order to move a file, you
    need to be in possession of the private key that corresponds to the
    public key that was used in the initial encryption process. If you
    don't have it, you can't move the file. Try it and see.
    tenubracon, Oct 21, 2003
    #5
  6. Bay

    Herb Martin Guest

    Someone claimed incorrectly that permission mattered but
    that isn't really the true story with EFS.

    Without the key, even an administrator (assuming not an EFS
    recovery agent) cannot access the file, no move, copy, read,
    etc. -- despite the permissions.

    You can even prevent the EFS Recovery Agent from "cheating"
    day to day by exporting the certificate with private key and deleting
    that private key from the machine.

    By storing that certificate/key in a secure location under the control
    of a security auditor or executive (not an admin) you can even prevent
    the EFS recover agent from accessing the file -- until the recover is
    needed and the saved key/certificate is brought back to the machine.

    BTW, it only takes about 5 minutes to test this -- two users, full control
    for each, one encrypt, try to access as the other.

    --
    Herb Martin
    Herb Martin, Oct 21, 2003
    #6
  7. Bay

    tenubracon Guest

    Imagine you have a laptop with sensitive documents on it. Someone
    steals the laptop, works out your password and then logs on. As far as
    the computer is comcerned, the thief is you, it cannot tell the
    difference. Of course, although you had set permissions to prevent
    other people accessing your files, you had allowed yourself access.
    Because the thief is logged on as you, they have access to your files.
    This is where EFS comes in.
    EFS encrypts files using an encryption key called the File Encryption
    Key (FEK). When the user who encrypted the file wants to read it, this
    key is needed by the system in order to decrypt the file. The FEK is
    therefore stored anong side the enctypted file. This means that the
    key is available to anyone who wants to access it, of course, and thus
    that the file is available too.
    To secure the FEK, the FEK is itself encrypted. The key that is used
    to do this is called a public key.
    A public key is one half of a 'key pair'. The other half is called the
    private key. Each user has their own public / private key pair that is
    unique to them. The public key is used to encrypt and the private key
    is used to decrypt. Something encrypted by one user's public key can
    only be decrypted by that same user's private key (leaving the DRA to
    one side for this discussion). No other user's private key can decrypt
    it.
    Going back to the encryption process, then, when a user encrpyts a
    file, that user's public key is used to encrypt the FEK and that same
    user's private key can be used to decrypt it. Once decrypted, the FEK
    will be used to decrypt the file. In order to do all of this, the
    computer needs access to the user's key pair, so they are stored in
    the user's profile. Whenever the user logs on, its profile is loaded,
    so the keys are available to the system
    So, is the file on the stolen laptop any more secure ? No, not
    really, because in order to access the files, all the thief needs to
    do is log on as the user (having cracked the user's password). The
    user profile (containing the key pair) loads, so when the thief clicks
    on the encrypted file, the private key is available and is used to
    decrypt the FEK, the FEK decrypts the file and the theif is in.
    To actually make this work, an extra step is needed. Once you have
    encrypted the file, you must remove the private key from the system
    (this is called exporting the private key). If the private key is not
    available, the file cannot be accessed EVEN IF THE THIEF HAS LOGGED ON
    AS THE USER. Storing the private key and the encrypted data separately
    is how EFS makes your data more secure.
    Of course, you still need access to your data (assuming the laptop
    hasn't been stolen !). To gain access, you will have to import the
    private key back to the system before accessing the file. Once you
    have finished, you export the file again. It's a hassle, but if used
    correctly, EFS definitely does make a difference.

    As for simply copying an encrypted file to a FAT partition in order to
    access it, this is not possible without the private key and hence not
    a problem if you have exported that key.
    The backup issue is also not a problem as backing up a file means
    essentially taking the raw data off the disk and putting it somewhere
    else. For your encrypted files, raw data means the files remain in
    exactly the form they took when on the NTFS partition - that is,
    encrypted. As long as the private key is not present, the data is
    still safe as it cannot be decrypted.
    Hope this helps. The Step by Step guide to EFS on the MS web site is
    also very useful.
    tenubracon, Oct 21, 2003
    #7
  8. Bay

    Herb Martin Guest

    The solution to the "breaks your password" is:

    Require a SmartCard for logon (disabling normal password)
    Keep the Smartcard separate from the machine
    Consider exporting certificate and deleting private user key while
    "in transit" -- keeping the cert/key on a separate floppy for
    restoration
    at the destination (or sending by separate means.)

    Both presume you have deleted the EFS Recovery Agent's private
    key (after storing it securely.)

    --
    Herb Martin
    Herb Martin, Oct 21, 2003
    #8
  9. Bay

    Bay Guest

    Herb,

    Thanks for the info. You answered all my concerns.

    "Herb Martin" <> wrote in message
    news:...
    > Someone claimed incorrectly that permission mattered but
    > that isn't really the true story with EFS.
    >
    > Without the key, even an administrator (assuming not an EFS
    > recovery agent) cannot access the file, no move, copy, read,
    > etc. -- despite the permissions.
    >
    > You can even prevent the EFS Recovery Agent from "cheating"
    > day to day by exporting the certificate with private key and deleting
    > that private key from the machine.
    >
    > By storing that certificate/key in a secure location under the control
    > of a security auditor or executive (not an admin) you can even prevent
    > the EFS recover agent from accessing the file -- until the recover is
    > needed and the saved key/certificate is brought back to the machine.
    >
    > BTW, it only takes about 5 minutes to test this -- two users, full control
    > for each, one encrypt, try to access as the other.
    >
    > --
    > Herb Martin
    >
    >
    Bay, Oct 21, 2003
    #9
  10. circa Tue, 21 Oct 2003 02:57:18 GMT, in
    microsoft.public.cert.exam.mcse, Bay () said,
    >
    > EFS seems safe under NTFS partitions but the it will lose the functionality
    > if they are moved to FAT partition? If that is the case, then someone who
    > is not recovery agent can decrypt the file by moving the file to FAT
    > partition? Just a thought...
    >

    Not even close.

    Laura
    --
    I find that the further I go back, the better things were, whether
    they happened or not.
    -Mark Twain
    Laura A. Robinson, Oct 21, 2003
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TWFydGluYQ==?=

    EFS and SP2

    =?Utf-8?B?TWFydGluYQ==?=, Feb 28, 2005, in forum: Microsoft Certification
    Replies:
    2
    Views:
    530
    Jupiter Jones [MVP]
    Mar 5, 2005
  2. Barry Watzman

    EFS Question

    Barry Watzman, Apr 12, 2005, in forum: Microsoft Certification
    Replies:
    0
    Views:
    498
    Barry Watzman
    Apr 12, 2005
  3. Nettransplant

    EFS and the domain

    Nettransplant, Nov 28, 2003, in forum: MCSE
    Replies:
    4
    Views:
    587
    Roger Abell
    Nov 30, 2003
  4. =?Utf-8?B?bTByaw==?=

    EFS

    =?Utf-8?B?bTByaw==?=, Mar 1, 2006, in forum: MCSE
    Replies:
    48
    Views:
    2,428
    Rowdy Yates
    Mar 3, 2006
  5. Walden Yapp

    EFS not available on XP Home

    Walden Yapp, Jul 15, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    476
    pcbutts1
    Jul 16, 2004
Loading...

Share This Page