[unisog] Windows Encrypted File System (EFS)
stasinia at msoe.edu
Fri Feb 10 23:09:37 GMT 2006
Actually there are three mitigating facts to what you just said. First
you don't have to have the administrator be the key recovery agent (in a
domain envorment0. You can simply modify the GPO so there is no
recovery agent. Second if you use syskeys with a startup
password/floppy the entire private key section of the local SAM is
encrypted with a key protected by the syskey. Third, if on a stand
alone computer, there will be no default recovery agent.
So ideally you should enable syskey (with a password/floppy) and disable
the Administrator as the recovery agent. With this the EFS key will be
protected by your account password and syskey password; meaning that a
hacker would need to brute-force both passwords before being able to
access your EFS files; thereby making an effective tool against laptop
Computer and Communication Services Department
Milwaukee School of Engineering
MSCE: Messaging & Security 2003
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]
> On Behalf Of Reg Quinton
> Sent: Friday, February 10, 2006 12:00 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Windows Encrypted File System (EFS)
> From: "Stejerean, Cosmin" <cosmin at cti.depaul.edu>
> > EFS is meant to encrypt files while on the drive (so if the laptop
> > stolen nobody will be able to get the files) and while it is far
> > perfect it would have helped in the recent cases in the news when
> > laptops of bank employees were stolen.
> In theory yes, in practice no. The default configuration has the
> Administrator account as a key recovery agent. See the "User Beware"
> in our discussion of EFS here:
> EFS is not sufficient to protect data if your laptop is stolen. I
> there are lots of tools that will give you the Administrator account
> can get the system to boot from a CD. Once you have the Administrator
> account you now have all EFS files.
> Mind you I use EFS on my laptop. Every little bit helps.
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog