Re: Help with EFS
From: "Patrick Keenan" <test@dev.null>
| "h128" <nospam@nospamst.com> wrote in message
| news:48e6c245$0$1078$4fafbaef@reader2.news.tin.it...
>> Shenan Stanley wrote:
>>> h128 wrote:
>>>> Hello
>>>> (Apologies for crosspost, I do not know where to post it. Searched
>>>> something similar without result.)
>>>> I'm new to EFS.
>>>> I would understand how to use it and to expect from it. I have read
>>>> many sites and many theory but not much I have found in practice.
>>>> I have done the following things.
>>>> I have crypted some files using the property tab of a directory.
>>>> After, I have exported the private key in a separate file. I have
>>>> set the flag delete if successful export, and it told me something like
>>>> "you can not anymore delete or decrypt..."
>>>> I am confused now, because I CAN STILL open and do everything with
>>>> these files. So, what is the point of exporting and deleting the
>>>> key???
>>>> Maybe it has still it somewhere, I thought...
>>>> So, I went in the same snap in console and I deleted under
>>>> certificates- personal the entry with my account name, and under
>>>> reliable accounts I did same thing.
>>>> After this, I CAN STILL open and do everything with these encrypted
>>>> files.
>>>> So, I changed the admin password and (obviously)... after this, I
>>>> CAN STILL open and do everything with these encrypted files!
| Yes. And at that point, it'd be a good idea to update the exported
| credential disk.
| However, if you now create another Admin level account and change the
| password of that original account from there, you will find that you no
| longer have decrypt access, until you re-import the credentials.
| The same will happen if you boot with a Linux password-reset tool and change
| it that way.
>>>> I do not understand what to do to render unusable these files
>>>> without the little key file I have removed from PC (everyone says put in
>>>> floppy - no floppy from years ago here - and keep safe, ok but what
>>>> is this? if i still access the files)
>>>> If someone steal the hard disk and reset the admin password with
>>>> some utilities, he can still read these files?
| No. In that case, they'll see the files, but only in encrypted format.
| Since you have a test system, which is great, you can show this to yourself.
| Easy to do with a $25 USB2 drive adapter.
>>>>EFS work only if the
>>>> disk is put in another PC as slave?
| EFS will allow decrypt access *if* you enter the account via a normal logon.
| If the password was reset from outside, decrypt is lost until the
| credentials are re-imported.
>>>> Please help or address to a pratical tutorial...
>>> Yes.
>>> You can access them with your account without any input. Silently..
>>> However - if someone changes your password using a method other than
>>> logging in with your current password and changing it as you (say someone
>>> with administrative rights resets it) - then those files cannot be
>>> accessed by you (nor could they ever have been accessed by anyone else on
>>> the computer.)
>>> That's where exporting the key comes in.
>>> Best practices for the Encrypting File System
>>> http://support.microsoft.com/kb/223316
>>> You also want to know that you might have to change other things when
>>> using
>>> EFS in order to secure it more fully.
>>> Where Does EFS Fit into your Security Plan?
>>> http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.
>>> html
>>> What is EFS? How can I use it to protect my files and folders?
>>> http://www.petri.co.il/what's_efs.htm
>> Thank you very much for your answer.
>> I was experimenting EFS in an expendable WinXP PC, my real problem is a
>> server where an SQL Server resides.
| I'd like to say it's great to hear that you are trying this out for yourself
| on an expendable system rather than on real data.
>> It seems the sole mode to secure database files is encrypting the whole
>> file system (apart crypt any single column of any table...), otherwise it
>> is possible to copy them in another SQL Server installation
| You probably want to see this happen yourself. Log onto your test machine
| and copy some encrypted data to a folder on another system, or even a disk.
| You'll likely find that the copy is not encrypted because you have the
| correct credentials.
| Then, reverse the process - try connecting to the test system by way of
| another system - just browse the network, find the encrypted file, and copy
| it. Compare your results.
>> (reading customers and credit cards and so on, it is the usual eshop
>> site...),
| This may mean that there are legal requirements you must meet regarding data
| protection. You need to investigate this.
>> so EFS jumped in.
>> I was worried a physical access to the machine could compromise privacy,
| You are right to. Physical access definitely compromises privacy. If
| someone can sit at the keyboard, the data is vulnerable.
>> like resetting administrator password from outside after grabbing the
>> hard disk.
| That's actually "safer" than having an unauthorised person sitting at the
| keyboard. And it's also part of why you need to be sure you have really
| good backups.
| This is one of the key features - and problems - with EFS. If the password
| is changed from outside the account, the credentials are invalidated and at
| that moment decrypt access to encrypted data is permanently lost, UNLESS the
| original account credentials are re-imported. Restoring the original
| password won't fix it. You need the credentials.
| This becomes a problem is when a Windows reinstall is done, which disrupts
| the credentials, and the user didn't export the originals.
| For you, it would also be a problem if that were your only copy of the data,
| or if the backups required the original credentials and you no longer have
| them.
| If you've stored them on the same hard disk in an unencrypted area, they are
| available to everybody. If you stored them in an encrypted area, nobody
| gets them. They should be on an external disk in a very secure location,
| with regular refreshes. One copy only is not really a great idea.
| As to floppies - yes, XP wants to export to floppies, get a $20 external USB
| floppy drive. It's a handy tool to have around.
>> Do you think there are further details for my specific problem, or the
>> info and links you provided is enough and cover any use of the encryption?
| You need to continue to test so you understand what's happening, and examine
| privacy legislation in your area to see what is legally required and what
| other companies do to comply with it. You also need to deal with the
| physical access issue, as well as secure and current backups. Be sure
| you can restore them to another system.
| EFS offers strong encryption that is easy to use and can help you, but you
| also need to understand its limitations adnd implications and how they can
| hurt you.
| HTH
| -pk
EFS is NOT dependent upon the account password.
EFS is dependent upon a OS (or Domain) generated EFS Certificate that is stored in the
Personal Certificate Store.
Example:
I logon to this PC as "lipman" and I have captured a picture of the view of my Personal
Certificate Store showing the OS generated EFS certificate
{ Note: I removed my Smart Card certs from my personal store first
}
You will note this the gernerated certificate has a life span of ~100 years. A life
expectancy to outlast the encrypted data and as long as this cert. stays in my personal
store I can decrypt the encrypted files.
NOTE: Files and folders that are encrypted will show in GREEN colour in Explorer views.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV -
http://www.pctipp.ch/downloads/dl/35905.asp