General discussion

  • Creator
  • #2285283

    Lock down corporate data with EFS


    by debate ·

    Has your organization deployed Windows Encrypting File System (EFS) on its network? Do you feel your corporate data is safer because of it? Share your comments about locking down corporate data with EFS, as discussed in the Nov. 12 Security Solutions newsletter.

    If you haven’t subscribed to our free Security Solutions newsletter, sign up today! Click this link to subscribe automatically:

All Comments

  • Author
    • #3313108

      EFS is not usefull for departmental data

      by pierre_d ·

      In reply to Lock down corporate data with EFS

      The best usage for EFS is indeed for protecting laptop data.
      It is not useful for departmental data, i.e. on a shared server because it is impossible to easily share an encrypted file with a group of users. You must give permission to each user, one user at a time.

    • #3313106

      Beware of EFS for encrypting offline files

      by pierre_d ·

      In reply to Lock down corporate data with EFS

      Personnal data is rather well protected with EFS even if your laptop is stolen. However, your offline files are protected with a machine certificate which is easier to obtain after you have reset the administrator password.

    • #3311321

      Serious error!

      by ou_peter ·

      In reply to Lock down corporate data with EFS

      if you encrypting your date by EFS,when you had formated your system and installed new system,you
      would found you cound’t reading your date on your disk!

      i don’t know how to do about EFS?

    • #3311240

      If someone can gain physical access….

      by thomas.wan ·

      In reply to Lock down corporate data with EFS

      If someone can gain physical access to your machine, your password can easily be hacked. In that case, the hacker can login to your machine as you with your password.

      • #3311196

        Check your facts, data is still secure

        by mike mullins ·

        In reply to If someone can gain physical access….

        You’re wrong and here’s why the crook still can’t read your encrypted documents. Because:

        1. The default Recovery Agent for domain members is the domain Administrator account, not the Administrator account on the local machine.

        2. If the user was not a member of a domain, but was instead a local user, the default Recovery Agent would be the local Administrator. However, best practices says the recovery key should always be exported and removed from the machine and stored in a secure location. Once again, there is no recovery key on the machine to compromise.

        3. Finally, if the bad guy cracks the local administrator password. It doesn’t matter, local Administrators cannot reset domain members’ passwords; they can only reset local users’ passwords. Your data is still secure.

        Moral of the story:

        1. Use EFS on laptops
        2. Do not create local accounts for users on laptops.
        3. Export and remove the Recovery Key from stand alone systems.
        4. Your data will remain secure

    • #3311220

      I have problems in XP SP2

      by coucnil ·

      In reply to Lock down corporate data with EFS

      My OS is WinXP SP2 (Pro) & there is no certificates on my machine. How can I create the new one for recovery agents?

    • #3290930

      Encrypting corporate data in general

      by stress junkie ·

      In reply to Lock down corporate data with EFS

      Encrypting data on disk is a very important idea. However, it is a mistake to allow this to happen at the user level. This should be performed at the system administration level.

      These ideas are not limited to Windows. Some of this may not be available or required in Windows, but it is available and can be made required in *nix OSes. I’m responding even though this was directed toward the Windows environment because the concept of encrypting data on disk is a cross platform issue.

      When data is encrypted before it is stored to disk then you overcome at least two huge security problems that have plagued system administrators for years. This has been a problem without a reasonable solution until recently. Now encrypting an entire file system is possible in many operating systems.

      The first problem that is addressed is, as mentioned in another reply to this discussion, that data on disk is secure, even from a hacker that has acquired system privileges. If, and only if, the system administrator is required to enter a password in order to mount a partition then the hacker with privileges still has to break the password to access the encrypted data. I don’t know how this works on Windows. On *nix some of the encrypting software does require that a password be entered in order to mount an encrypted partition ( file system ).

      The second problem that is addressed is similar to the physical access to the computer. People who are allowed access to the system to perform repairs, field service technicians, will sometimes have to swap a broken hard disk for a new hard disk. These people have physical access to the disk and can mount it in their own system where they have privileges. This is like the hacker that acquires privileges except that we system administrators happily allow the service technician to walk out the door with the ‘broken’ disk. Or sometimes we just throw a broken hard disk into the trash. Either way, if the data on the disk were encrypted then anyone that has possession of the disk still has to hack the password to read the data, if they can figure out the encryption scheme in the first place. You see many articles about how a government desktop computer was purchased through after market retailers and the purchaser found confidential data on the disk. This can be prevented by encrypting data on disk.

      In summary, encrypting data on disk is a great idea. It can be an important component of establishing file and data security. Encrypted data can create a hurdle for the hacker that has gained system privileges and it can secure data that was left on hard disks or computers that have been discarded.

      BTW you should also encrypt data that goes into the pagefile/swapfile.

Viewing 5 reply threads