[unisog] File protection in a Windows Environment

Nick Lewis lewisnic at acm.org
Sun Dec 11 00:58:52 GMT 2005

----- Original Message ----- 
From: "Reg Quinton" <reggers at ist.uwaterloo.ca>
To: "UNIversity Security Operations Group" <unisog at lists.sans.org>
Sent: Wednesday, December 07, 2005 5:37 AM
Subject: Re: [unisog] File protection in a Windows Environment

>> Stay away from Microsoft's EFS then, since the "key recovery" role can
>> be assumed by an administrator.
> I wouldn't say "stay away". Instead, say "be aware". If you're aware of 
> the
> limitations it's reasonable. We posted a position paper here:
> http://ist.uwaterloo.ca/security/position/20020619/
> Ps. a limitation on most cryptography -- an administrator can install a
> key-stroke logger to grab your PGP key (or whatever product you 
> recommend).

I went to a presentation by AccessData last year where they talked about how 
Forensic Toolkit (FTK) can break EFS so that evidence can be uncovered. It 
appears to work without the recovery keys on pre-SP1 W2K/XP systems and 
needing the recovery key on later system.


More information about the unisog mailing list