Re: Laptop Encryption

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 07/26/02 

From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: <sightblinder@ntlworld.com>, <focus-ms@securityfocus.com>
Date: Fri, 26 Jul 2002 13:02:12 -0400

The encryption in Windows 2000/XP is excellent. However, the biggest problem
with it is that if somebody steals the laptop where it has been implemented,
by default, the encryption keys are stored (in an encrypted store) in the
user's profile. Because they are not exported automatically to removable
media, if the person who has stolen the laptop manages to crack the user's
login credentials and login as the user, the keys are then available and EFS
is essentially pointless.

*If* you do things like require smart card logon/biometrics/whatever for
users with laptops, then it's a whole different story. If the thief doesn't
have the smart card and PIN for the smart card, then you've *significantly*
reduced the ability for a thief to log on with the user's credentials and
have thus fairly well assured that the thief cannot access the keys that are
stored in the encrypted store in the user's profile. Alternately, the user
can manually import/export the keys every time s/he encrypts and decrypts
files, but this requires a pretty significant amount of knowledge on the
part of the user, and generally doesn't work well.

So, in quick summary, if you implement EFS with an eye to these things, it
works beautifully and is very secure. If you don't, then as always, your
biggest risk is in a thief being able to log on with the user's credentials.
If you're using domain accounts and not local accounts, you've already
significantly reduce the risk as there isn't a local SAM to crack that would
yield the proper credentials associated with the profile and stored keys.
So, if you set it up with a little planning beforehand, EFS will definitely
do the job. It's just that you have to be aware of where those keys are
stored by default and how they could potentially be accessed

Laura.
----- Original Message -----
From: <sightblinder@ntlworld.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, July 26, 2002 10:14 AM
Subject: Laptop Encryption

> Well it depends on how secure you want to be. If its just a case of
securing it against opportunists then W2K and XP both provide an encrypted
file system natively. Check EFS / NTFS on the MS website. IIRC its
accessed via the file or directory properties for the items you want to
encrypt.
>
> I have idea as to how strong the encryption is, but if you're only worried
about opportunist access or the laptop being stolen by a regular thief as
opposed to someone specifically after your company info then it should do
the job.
>

Relevant Pages

  • Re: Laptop Encryption
    ... keys, so they just don't know about it or do it. ... Subject: Laptop Encryption ... > can be encrypted with any encryption software. ... If the thief ...
    (Focus-Microsoft)
  • UPDATE; Encrypted Laptop Poses Legal Dilemma
    ... Encrypted Laptop Poses Legal Dilemma ... stymied by a password-protected encryption program. ... Now Boucher is caught in a cyber-age quandary: ... The government has appealed the ruling. ...
    (alt.true-crime)
  • RE: Need a Full Drive Encryption program
    ... Need a Full Drive Encryption program ... Booting from a linux or other boot disks will defeat most setups, ... Since the BIOS controls the access to the hard drive, upon power-up, the ... > the laptop back to IBM. ...
    (Security-Basics)
  • RE: Laptop Encryption
    ... can be encrypted with any encryption software. ... Subject: Laptop Encryption ... login credentials and login as the user, the keys are then available and EFS ... If the thief doesn't ...
    (Focus-Microsoft)
  • RE: Laptop Encryption
    ... despite it's "proprietary" encryption method does exactly ... Subject: Laptop Encryption ... login credentials and login as the user, the keys are then available and EFS ... If the thief doesn't ...
    (Focus-Microsoft)