Re: EFS and user's password

From: x y (jamescagney90210@excite.com)
Date: 05/16/02


From: "x y" <jamescagney90210@excite.com>
Date: Thu, 16 May 2002 00:35:15 -0400


"Drew Cooper [MS]" <dcoop@online.microsoft.com> wrote in message
news:elirMvE$BHA.2384@tkmsftngp02...
> An exploit with tools like that (there are several) is stopped cold in
> Windows2000 by using syskey in either password or floppy mode.
> In WindowsXP, syskey is only needed if a machine is using an encrypted
> client-side-cache.
>

Yes, though as I understand it, password and floppy mode require a password
or a floppy be entered every time Windows is started. This may not be
acceptable to some users.

If these syskey authentication modes are not used and the PC is allowed to
boot up normally, then the answer is yes. If the PC is not in a domain, the
local admin can decrypt any EFS encrypted files on the PC, and there are a
number of well-known ways documented on the internet to reset the admin
password and thus get your files. My belief is that if the computer is a
member of a domain, the domain administrator is the EFS recovery agent, and
so your files may be somewhat safer from being decrypted.

OR, use PGP freeware or any other file encryption software which does not
have these issues.

In either case, be sure you have backed up your EFS encryption keys so that
you can decrypt your files if something goes horribly wrong with EFS.