[unisog] Windows Encrypted File System (EFS)

Stejerean, Cosmin cosmin at cti.depaul.edu
Fri Feb 10 23:41:57 GMT 2006

You are right, in stand alone mode there is no default recovery agent in
Windows XP or Windows 2003. However, even if the Administrator user was
the default recovery agent it would not pose a significant threat.
Booting from a CD will let you RESET the password of local accounts (but
then again that's what syskey is for), however when resetting the
password you loose all the private data including the EFS private key
(hence the warning in Windows when you attempt to reset another user's

I prefer not to rely on EFS on my laptop or workstation though and
instead I create an encrypted partition with TrueCrypt (there are other
tools as well). This also allows me to create an encrypted partition on
a USB key to store/transfer critical files.

EFS has its advantages though, for example if an employee disappears,
leaves or is terminated you can recover all files from their
workstation, and I believe EFS can be great for network shares that
contain critical information as another safeguard on top of NTFS and
file sharing ACLs. If not setup properly it will cause a lot of
headaches though (and lost data).


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Gaddis, Jeremy L.
Sent: Friday, February 10, 2006 4:43 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Windows Encrypted File System (EFS)

Reg Quinton wrote:
> In theory yes, in practice no. The default configuration has the 
> Administrator account as a key recovery agent. See the "User Beware"
> in our discussion of EFS here:

That's not true for Windows XP and/or Windows Server 2003 -- in this 
case, there is no default recovery agent.  Users can encrypt files with 
just their own EFS certificates and no recovery certificates are needed 
or generated.  This eliminates the need to export and delete the 
Administrator's EFS private key on stand-alone computers, but it also 
prevents recoverability by default.

If the machine is a member of an Active Directory domain, then GPOs can 
be used to add data recovery agents.


Jeremy L. Gaddis, GCWN, Linux+, Network+
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list