Re: EFS file recovery on Win2k
From: Peter Thelin (peter.thelin@vasteras.se)
Date: 02/09/03
- Next message: Christoph Seidel: "How secure is EFS?"
- Previous message: Bob A. Schelfhout Aubertijn MCSE: "Re: "TEDDY BEAR" VIRUS"
- In reply to: x y: "Re: EFS file recovery on Win2k"
- Next in thread: Daniel Billingsley: "Re: EFS file recovery on Win2k"
- Reply: Daniel Billingsley: "Re: EFS file recovery on Win2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Peter Thelin" <peter.thelin@vasteras.se> Date: Sun, 9 Feb 2003 13:11:08 +0100
We've currently got an NT4 running as PDC so I think that all of this nice
functionality isn't available to me yet, is it? Then we have "NDS for NT"
running on the PDC just to make things interesting... :)
The performance hit is cheap considering the consequences if classified
information is lost. I work at a local goverment agency and among other
things some of my users store information about "protected citizens" - e.g.
stalked ex. wifes, etc... An additional "motivator" for the users to accept
the performance hit is that if he can be found to be negligent in any way he
could be facing a jail sentence...
I also have legal requirements that dictate that nothing can be lost or
destroyed - so I must be able to recover the information.
I'll take a thourough look at the link you gave me!
Thanks!!
Peter
"x y" <levinson_k@despammed.com> skrev i meddelandet
news:ek4zVAtzCHA.1840@TK2MSFTNGP12...
>
> "Peter Thelin" <peter.thelin@vasteras.se> wrote in message
> news:ODe5lYrzCHA.1636@TK2MSFTNGP12...
> > On WinXP you can create a Recovery Agent key using "Cipher
> > /R:EFSRecoveryAgent" - How do you do on Win2k?
> >
> > Can ANY admin recover files or does it have to be ".\Administrator".
> >
> > Can the admin recover files even if there is no recoveryagent?
> >
> > Has anybody actually used EFS in a an organisation (I've got 6 000
clients
> > and about 23 000 users) and got it to work fine?
> >
> > What are the pitfalls and DO's and DON'Ts?
>
> Win2000 EFS works a little differently but also allows you to set up other
> accounts to be EFS recovery agents, using the instructions below:
>
> http://securityadmin.info/faq.htm#efs
>
> You definitely want to back up the encryption keys, and store them
somewhere
> securely. Any file encryption technology tends to cause some sort of
> performance hit, and runs the risk of losing your files in the event of a
> disaster or malfunction [such as when windows is reinstalled or stops
> booting and the encryption keys were not backed up]. Some white papers on
> the internet claim that old unencrypted copies of data files are deleted
by
> the OS but might still be found by using a variety of undelete tools.
There
> are some limitations to EFS, such as it won't encrypt your entire hard
drive
> or Windows system folders, and sharing files with other users may be an
> issue.
>
> Since EFS is tied to the user account, EFS is compromised if the account
> password is compromised. If the computer is not in a domain and syskey
> encryption is at the default setting, the local administrator account in
the
> SAM file can be manipulated to allow an intruder with physical access to
the
> computer to reset the password and access EFS. [XP takes some additional
> precautions against this, but I'm not sure this attack is completely
> impossible there.] So, EFS is probably more effective for domain
> workstations.
>
>
>
>
- Next message: Christoph Seidel: "How secure is EFS?"
- Previous message: Bob A. Schelfhout Aubertijn MCSE: "Re: "TEDDY BEAR" VIRUS"
- In reply to: x y: "Re: EFS file recovery on Win2k"
- Next in thread: Daniel Billingsley: "Re: EFS file recovery on Win2k"
- Reply: Daniel Billingsley: "Re: EFS file recovery on Win2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
