Re: EFS is a joke!
From: Markus Jansson (jansson_markus@ziplip.com)Date: 01/26/02
- Previous message: a@info.der-keiler.de: "Re: Which switches are/aren't prone to MAC flooding attacks?"
- In reply to: Alun Jones: "Re: EFS is a joke!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Markus Jansson <jansson_markus@ziplip.com> Date: Sat, 26 Jan 2002 22:20:27 GMT
On Sat, 26 Jan 2002 19:57:06 GMT, alun@texis.com (Alun Jones) wrote:
> You seem to be missing a couple of basics of security yourself.
No but you have. Read what I wrote. :)
> And this is why any Windows 2000/XP administrator worth his/her salt makes
> sure to:
> a) strictly limit physical access to the hardware
Cant do that. And if he could do that, why use EFS at all? NTFS would be sufficient!
> b) rename the built-in administrator account
Oh that makes a bit harder. Takes few more seconds to findout what it is...
> c) create EFS recovery agents other than the built-in administrator, and
> assign them instead of administrator as the default recover agent(s).
So? As you root the computer, you can change the user passwords. Or you can
change them from the boot diskette too. After you have deleted the user login
passphrase (or altered it to something else), all you need to do is to boot the
Win2k/XP, type in username and blank passphrase (or the passphrase you have
created) and you are in and can access EFS in plaintext!
You dont have to get the recovery keys but the key itself!
> EFS isn't a solution to all security problems. It provides limited protection
> only (for instance, it doesn't protect against someone blowing up your server,
> in which case your data is lost). You seem to be expecting it to be a
> panacea.
I except it to do what Microsoft promises it to do, that is:
http://www.microsoft.com/windowsxp/pro/using/howto/security/encryptdata.asp
"Protects Against Data Theft
With EFS, you can choose to encrypt files and folders. Then, even if someone
gains access to the file, for example by stealing your laptop or a disk on which you
copied the file, they can't decrypt the file and see your information. EFS includes
multiple layers of encryption for security. Each file has a unique file encryption key,
which must be used to decrypt the file's data. The key is also encrypted and
available only to those who are authorized to see the data. EFS is integrated with
the file system making it more difficult to attack, and easier for you to manage."
That, my friend it does not. So Microsoft is lying. I would also expect that the
encryption would be done in such fashion that you cant decrypt it unless you are the
person (or know her passphrase)....in EFS case, you can. With PGP, you cant.
Markus Jansson
------------------------------------------------
My security related homepages and PGP key:
http://www.markusjansson.net
- Previous message: a@info.der-keiler.de: "Re: Which switches are/aren't prone to MAC flooding attacks?"
- In reply to: Alun Jones: "Re: EFS is a joke!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
