[unisog] Windows Encrypted File System (EFS)

Jim Dillon Jim.Dillon at cusys.edu
Fri Feb 10 00:05:05 GMT 2006

In addition to the problems you are seeing correctly, I had a lot of
trouble with EFS when using batch commands to manipulate directories.
Failures were not always noticed or verbose, and in fact often just
stopped the batch process, leaving the encryption state as something you
could guess at.  How much was encrypted.  I also found when I was
cleaning up from it that some drives and files that should have been
encrypted weren't, and vice versa.  I lost some data as I didn't keep a
key when I thought I'd removed the encryption.

I'm not a fan.  Hard to work with, not always clear that it works, not
trustworthy for consistent encryption in my book.

I'm trying out Kensington's PC Key at the moment - it encrypts
everything supposedly, but when logging on under a different account
(not the account I encrypted under, a different local admin account) I'm
finding some directory trees partially encrypted, some not, and a bunch
of unusual states.  Since you still have to have the key to authenticate
even as another user, I'm having trouble analyzing or predicting the
algorithm and the actual state of the drive.

Like you I expect, I want an always on encryption solution that protects
the drive from tampering.

Note that other things like compression (WinZip and the like as well)
don't function well on an encrypted volume!


Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon at cusys.edu

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Clyde Hoadley
Sent: Thursday, February 09, 2006 2:19 PM
To: UNIversity Security Operations Group
Subject: [unisog] Windows Encrypted File System (EFS)

I acknowledge that there are a lot of things I just don't know very
much about.  Windows Encrypted File System (EFS) is a good example
of something I know very little about.

Do I understand the following correctly?

If a Windows user copies a file from an EFS folder onto a USB drive,
the copy on the USB drive is not encrypted.  Is that true?

If a Windows user attaches a file from an EFS folder to an Email
message, the attachment is not encrypted?  The same is true
if they were to FTP the file.  Is that true?

There is malware (virus, worms, Trojans) that run in the context
of the logged on user.  Some of these are known to transmit
random files off of the victims computer to places unknown.
Wouldn't such malware, running in the context of the logged on user,
have access to EFS files?  If it should randomly select an EFS file
for transmittal (via Email, IM, ftp, etc...) the file be transmitted
unencrypted?  Is that true?

Laptop is joined to the domain, and while at work, the user
logges into the domain and works on some EFS files (on the laptop),
then they log off and take the laptop home.  The user will not be
able to access their EFS files on the laptop using a local account.
Is that true?

EFS is intended to protect files stored on the hard drive.  It does
not protect files that are being shipped off-site.  Is that true?

My gut feeling is that EFS, while good, it isn't a complete
encryption solution.  Some users may need additional encryption
solutions.  I also get the feeling that EFS could create more
problems that it solves.  What is your opinion?

Clyde Hoadley, CISSP, GSEC
Security & Disaster Recovery Coordinator
Department of Information Technology
Metropolitan State College of Denver
<hoadleyc at mscd.edu>
(303) 556-5074 (office)
(720) 232-4737 (personal cell)

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list