[unisog] Windows Encrypted File System (EFS)

Stasiniewicz, Adam stasinia at msoe.edu
Thu Feb 9 21:43:31 GMT 2006

See below for per section answers.

Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering 
MSCE: Messaging & Security 2003 

> -----Original Message-----
> From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]
> On Behalf Of Clyde Hoadley
> Sent: Thursday, February 09, 2006 3:19 PM
> To: UNIversity Security Operations Group
> Subject: [unisog] Windows Encrypted File System (EFS)
> I acknowledge that there are a lot of things I just don't know very
> much about.  Windows Encrypted File System (EFS) is a good example
> of something I know very little about.
> Do I understand the following correctly?
> If a Windows user copies a file from an EFS folder onto a USB drive,
> the copy on the USB drive is not encrypted.  Is that true?

> If a Windows user attaches a file from an EFS folder to an Email
> message, the attachment is not encrypted?  The same is true
> if they were to FTP the file.  Is that true?
Correct, Yes

> There is malware (virus, worms, Trojans) that run in the context
> of the logged on user.  Some of these are known to transmit
> random files off of the victims computer to places unknown.
> Wouldn't such malware, running in the context of the logged on user,
> have access to EFS files?  If it should randomly select an EFS file
> for transmittal (via Email, IM, ftp, etc...) the file be transmitted
> unencrypted?  Is that true?
Yes, Yes, Correct

> Laptop is joined to the domain, and while at work, the user
> logges into the domain and works on some EFS files (on the laptop),
> then they log off and take the laptop home.  The user will not be
> able to access their EFS files on the laptop using a local account.
> Is that true?
By default yes.  But you install a copy of the private key into the
local user's certificate store to allow access to the EFS files.

> EFS is intended to protect files stored on the hard drive.  It does
> not protect files that are being shipped off-site.  Is that true?
Basically yes.

> My gut feeling is that EFS, while good, it isn't a complete
> encryption solution.  Some users may need additional encryption
> solutions.  I also get the feeling that EFS could create more
> problems that it solves.  What is your opinion?
It does have its uses.  It is designed to be a transparent file system
encryption system.  It is not designed to replace GPG, PGP, or any other
file based encryption system.  If you are looking for something that
protects files while in transit, EFS is not for you.  If you are looking
for something to secure file stored on a HD that has a risk of being
stolen, EFS might be an option for you.

> --
> Clyde Hoadley, CISSP, GSEC
> Security & Disaster Recovery Coordinator
> Department of Information Technology
> Metropolitan State College of Denver
> http://www.mscd.edu/~infotech/security/
> <hoadleyc at mscd.edu>
> (303) 556-5074 (office)
> (720) 232-4737 (personal cell)
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list