[unisog] Windows Encrypted File System (EFS)

Stasiniewicz, Adam stasinia at msoe.edu
Fri Feb 10 23:09:37 GMT 2006

Actually there are three mitigating facts to what you just said.  First
you don't have to have the administrator be the key recovery agent (in a
domain envorment0.  You can simply modify the GPO so there is no
recovery agent.  Second if you use syskeys with a startup
password/floppy the entire private key section of the local SAM is
encrypted with a key protected by the syskey.  Third, if on a stand
alone computer, there will be no default recovery agent. 

So ideally you should enable syskey (with a password/floppy) and disable
the Administrator as the recovery agent.  With this the EFS key will be
protected by your account password and syskey password; meaning that a
hacker would need to brute-force both passwords before being able to
access your EFS files; thereby making an effective tool against laptop

Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering 
MSCE: Messaging & Security 2003 

> -----Original Message-----
> From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]
> On Behalf Of Reg Quinton
> Sent: Friday, February 10, 2006 12:00 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Windows Encrypted File System (EFS)
> From: "Stejerean, Cosmin" <cosmin at cti.depaul.edu>
> > EFS is meant to encrypt files while on the drive (so if the laptop
> > stolen nobody will be able to get the files) and while it is far
> > perfect it would have helped in the recent cases in the news when
> > laptops of bank employees were stolen.
> In theory yes, in practice no. The default configuration has the
> Administrator account as a key recovery agent. See the "User Beware"
> section
> in our discussion of EFS here:
> http://ist.uwaterloo.ca/security/position/20020619/
> EFS is not sufficient to protect data if your laptop is stolen. I
> understand
> there are lots of tools that will give you the Administrator account
> you
> can get the system to boot from a CD. Once you have the Administrator
> account you now have all EFS files.
> Mind you I use EFS on my laptop. Every little bit helps.
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list