[unisog] Windows Encrypted File System (EFS)

Wes Young wcyoung at buffalo.edu
Thu Feb 9 21:52:47 GMT 2006

On Thu, 2006-02-09 at 14:19 -0700, Clyde Hoadley wrote:
> I acknowledge that there are a lot of things I just don't know very
> much about.  Windows Encrypted File System (EFS) is a good example
> of something I know very little about.
> Do I understand the following correctly?
> If a Windows user copies a file from an EFS folder onto a USB drive,
> the copy on the USB drive is not encrypted.  Is that true?


> If a Windows user attaches a file from an EFS folder to an Email
> message, the attachment is not encrypted?  The same is true
> if they were to FTP the file.  Is that true?

> There is malware (virus, worms, Trojans) that run in the context
> of the logged on user.  Some of these are known to transmit
> random files off of the victims computer to places unknown.
> Wouldn't such malware, running in the context of the logged on user,
> have access to EFS files?  If it should randomly select an EFS file
> for transmittal (via Email, IM, ftp, etc...) the file be transmitted
> unencrypted?  Is that true?

any one that has access to the users EFS keychain... yadda yadda...

> Laptop is joined to the domain, and while at work, the user
> logges into the domain and works on some EFS files (on the laptop),
> then they log off and take the laptop home.  The user will not be
> able to access their EFS files on the laptop using a local account.
> Is that true?

see above...

> EFS is intended to protect files stored on the hard drive.  It does
> not protect files that are being shipped off-site.  Is that true?

in order to read and xport the file, need to decrypt it... so yea.
Something like gpg, power archiver... etc. may work better as an
'offsite shipping' solution.... (something that doesnt require a private
key stored on disk.... just a strong paraphrase...)

> My gut feeling is that EFS, while good, it isn't a complete
> encryption solution.  Some users may need additional encryption
> solutions.  I also get the feeling that EFS could create more
> problems that it solves.  What is your opinion?

keep your keychains safe... works about as well as anything else you're
gonna find out there.... (on the winderz side).

think about it this way... anything you utilize for encrypting to your
computer, if an attacker gets ahold of your user (no matter what MS or
apple's PR ppl tell you about their "Safe and Secure home drives"), they
can see your secret rings... . This isn't just an EFS problem.. just the
model of storing that secret data under your user and letting an account
get whacked.

You wanna keep your stuff safe, store your secret keys on a thumbdrive
or such... make sure that your drive has to be attached to utilize the
encryption.... you get the gist of it.

Basically EFS is just a nice glorified way to help keep your stuff
locked down in multi-user systems... one more level of protection,
although it makes it tougher to get at files... it's def possible too
(why decrypt it when you can rip the admin or users password and use the
private key to do it the easy way...).

Get a test box out, create a user and play with it.... it's not terribly
Wes Young
Network Security Analyst
University at Buffalo
| My Security Blog: | http://tinyurl.com/9av4k  |
| My RSS:           | http://tinyurl.com/ceopv  |
| My Life:          | http://tinyurl.com/l18g   |

More information about the unisog mailing list