Re: Laptop Encryption

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 07/30/02 

From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "Motiwala, Yusuf" <motiwala@ti.com>, <sightblinder@ntlworld.com>, <focus-ms@securityfocus.com>
Date: Mon, 29 Jul 2002 23:00:37 -0400

Windows 2000 supports volume mount points, where you can mount a volume to a
folder. However, about the only advantage this would give you is the "not
easily noticed" (i.e., security through obscurity), and finding the mount
point would be quite simple. While I like the idea of making the volume less
obvious, dismounting it would require, again, relatively educated
interaction on the part of the user, which is the chief problem with the
built-in EFS key store- it's just not easy enough for users to import/export
keys, so they just don't know about it or do it.

Laura
----- Original Message -----
From: "Motiwala, Yusuf" <motiwala@ti.com>
To: <sightblinder@ntlworld.com>; <focus-ms@securityfocus.com>
Sent: Saturday, July 27, 2002 12:03 AM
Subject: RE: Laptop Encryption

> Is there any software available which can mount a file as windows drive
and
> can be unmounted when not required (something like lo in linux). Then file
> can be encrypted with any encryption software. This will also increase
> security of data in unmounted drive as simple file is less noticable than
> drive.
>
> -----Original Message-----
> From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> Sent: Friday, July 26, 2002 10:32 PM
> To: sightblinder@ntlworld.com; focus-ms@securityfocus.com
> Subject: Re: Laptop Encryption
>
>
> The encryption in Windows 2000/XP is excellent. However, the biggest
problem
> with it is that if somebody steals the laptop where it has been
implemented,
> by default, the encryption keys are stored (in an encrypted store) in the
> user's profile. Because they are not exported automatically to removable
> media, if the person who has stolen the laptop manages to crack the user's
> login credentials and login as the user, the keys are then available and
EFS
> is essentially pointless.
>
> *If* you do things like require smart card logon/biometrics/whatever for
> users with laptops, then it's a whole different story. If the thief
doesn't
> have the smart card and PIN for the smart card, then you've
*significantly*
> reduced the ability for a thief to log on with the user's credentials and
> have thus fairly well assured that the thief cannot access the keys that
are
> stored in the encrypted store in the user's profile. Alternately, the user
> can manually import/export the keys every time s/he encrypts and decrypts
> files, but this requires a pretty significant amount of knowledge on the
> part of the user, and generally doesn't work well.
>
> So, in quick summary, if you implement EFS with an eye to these things, it
> works beautifully and is very secure. If you don't, then as always, your
> biggest risk is in a thief being able to log on with the user's
credentials.
> If you're using domain accounts and not local accounts, you've already
> significantly reduce the risk as there isn't a local SAM to crack that
would
> yield the proper credentials associated with the profile and stored keys.
> So, if you set it up with a little planning beforehand, EFS will
definitely
> do the job. It's just that you have to be aware of where those keys are
> stored by default and how they could potentially be accessed
>
> Laura.
> ----- Original Message -----
> From: <sightblinder@ntlworld.com>
> To: <focus-ms@securityfocus.com>
> Sent: Friday, July 26, 2002 10:14 AM
> Subject: Laptop Encryption
>
>
> > Well it depends on how secure you want to be. If its just a case of
> securing it against opportunists then W2K and XP both provide an encrypted
> file system natively. Check EFS / NTFS on the MS website. IIRC its
> accessed via the file or directory properties for the items you want to
> encrypt.
> >
> > I have idea as to how strong the encryption is, but if you're only
worried
> about opportunist access or the laptop being stolen by a regular thief as
> opposed to someone specifically after your company info then it should do
> the job.
> >

Relevant Pages

  • Re: NTFS File Encryption Question
    ... Unfortunately, they are not written in "novice english", but it's supposed to be possible to import the certificate and key and then be able to decrypt the file on another computer. ... I need to be able to move that USB drive to my laptop and be able to access the EFS encrypted files on the laptop. ... I have attempted to export the certificate and keys from the desktop and import them onto the laptop. ... Now, however, I wanted to be able to read those with my laptop, so I thought I would export the encryption keys to a ".pfx" file, which I did and put on the FAT partition, protected with a password. ...
    (microsoft.public.windowsxp.general)
  • RE: Email Encryption Between Servers
    ... Secure E-mail, PGP, secure web server, ... Are the doctors going to have separate keys for each provider, doctor, ... desktop e-mail encryption, enterprise e-mail encryption. ... manage key exchange, staff training, ...
    (Security-Basics)
  • My response to a message by Dorothy Denning in 1995 - Australia and Encryption Policy
    ... Subject: Australia and Encryption Policy ... interception, which includes the issue of the use of cryptography as: ... keys but may be required to provide them in response to a court order. ...
    (sci.crypt)
  • RE: Laptop Encryption
    ... can be encrypted with any encryption software. ... Subject: Laptop Encryption ... login credentials and login as the user, the keys are then available and EFS ... If the thief doesn't ...
    (Focus-Microsoft)
  • Re: OTP and message integrity.
    ... Without the keys, ... You provide some level of integrity, ... The encryption is provided by an OTP. ...
    (sci.crypt)