RE: Encrypting remote files with EFS
From: Depp, Dennis M. (deppdm_at_ornl.gov)
Date: 05/11/05
- Previous message: jbaskerville_at_cfl.rr.com: "Re: Encrypting remote files with EFS"
- Maybe in reply to: Zack Schiel: "Encrypting remote files with EFS"
- Next in thread: AnthonyBlumfield_at_msn.com: "Re: Encrypting remote files with EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 May 2005 07:36:17 -0400 To: Robert Schwartz <robert.schwartz@ucdmc.ucdavis.edu>, Zack Schiel <ZSchiel@blueandco.com>
Ther are a few flaws in the complaints about EFS. First if you are running in an Active Directory Domain, then the local administrator does not have the ability to decrypt files. The Domain Administrator and/or the EFS recovery agent has this capability. Second if you are not in the domain, you can remove the encryption key from the local administrator account. In either case, you can and should remove the encryption key from the local admin account.
Dennis
-----Original Message-----
From: Robert Schwartz [mailto:robert.schwartz@ucdmc.ucdavis.edu]
Sent: Tuesday, May 10, 2005 1:39 PM
To: Zack Schiel
Cc: focus-ms@securityfocus.com
Subject: Re: Encrypting remote files with EFS
Danger Will Robinson. Your experiences are only atypical because no one's
lost an entire volume (yet). I can't go into my personal experiences with
that steamy pile of encryption, but I can link a public website
http://www.infoanarchy.org/wiki/index.php/Talk:Hard_Disk_Encryption
I don't agree with the author's tone (although it was amusing), but I agree
with his results. I do not consider EFS an appropriate solution to the
requirements you sketched out.
If you need something "Cost Comparable" to EFS (i.e. if you chose EFS
because it's free) then try this gem:
The following product does what you want correctly. Since it works
correctly, if the user forgets their passphrase then the data is gone.
It's Open Source so if you are afraid of backdoors then check the source
code.
http://www.truecrypt.org/downloads.php
If you need recovery key abilities and you have a budget then buy SafeBoot,
PointSec, Winmagic, etc according to your needs.
"Zack Schiel"
<ZSchiel@blueandc
o.com> To:
<focus-ms@securityfocus.com>
05/10/2005 07:03 cc:
AM
Subject:
Encrypting remote files with EFS
We are in the midst of deploying EFS to protect specific folders on laptop
hard drives. We want EFS used only for that purpose-locally; as such, we
do not want users to have the ability to encrypt files that are residing on
file servers. According to my understanding of EFS, which seems to be
confirmed by the quote below from Windows help, users shouldn't be able to
do so unless we specifically enable file server(s) to be trusted for
delegation in AD.
"In a domain environment, remote encryption is not enabled by default. To
enable encryption for a specific computer, your network administrator can
make that computer trusted for delegation. For more information, consult
your network administrator."
However, some of our servers are allowing files to be encrypted and
decrypted remotely-and these servers are *not* marked as trusted for
delegation in AD. Further, the user that encrypted the file can scoot over
to another PC, log in as themselves, and access the file-and we have no CA
infrastructure in place; these are locally-generated EFS certificates that
do not chain back past the local client machine. The certificate
thumbprints in the personal store for the user account on the two PCs do
not match, yet they can access the file just the same, while other user
accounts cannot.
I'm thoroughly confused by this behavior, and would appreciate any experts
chiming in and cluing me in as to why 1) some servers are allowing remote
encryption, while others are not, and 2) why locally-generated EFS certs
are behaving this way.
Our environment:
-Windows 2000 native-mode domain
-All DCs are Win2k, file servers are a 2k/2003 mix
-Clients are 2000/XP; the OS of the client/server doesn't seem to
matter-some 2k3 servers allow remote encryption, some don't, and some 2000
servers allow, while others don't.
Thanks,
-Zack-
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: jbaskerville_at_cfl.rr.com: "Re: Encrypting remote files with EFS"
- Maybe in reply to: Zack Schiel: "Encrypting remote files with EFS"
- Next in thread: AnthonyBlumfield_at_msn.com: "Re: Encrypting remote files with EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
