Re: EFS file recovery on Win2k

From: Daniel Billingsley (dbillingsley@NO.durcon.SPAAMM.com)
Date: 02/11/03

• Next message: David Cross [MS]: "Re: Acceesing certificate"
• Previous message: Brian Palombo: "Cannot Open Local Policy Database"
• In reply to: Karl Levinson [x y] mvp: "Re: EFS file recovery on Win2k"
• Next in thread: Peter Thelin: "Re: EFS file recovery on Win2k"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Daniel Billingsley" <dbillingsley@NO.durcon.SPAAMM.com>
Date: Tue, 11 Feb 2003 09:45:04 -0500

Yes Steven, exporting the private key of the recovery agent and then
deleting it is an important part of securing efs. I've recently learned the
hard way that this is a best practice and recommended by Microsoft.

As Karl says, on a standalone box the compromise of the local administrator
is the proverbial hacker's gold mine, and there are of course "tools" that
have been successfully directed there.

"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:#ypAMMX0CHA.2596@TK2MSFTNGP12...
> Well, EFS security can be very secure or very insecure depending on how
you
> install it. If your Windows 2000 computer is not joined to a Windows 2000
> domain, then the local administrator account is probably the EFS recovery
> agent, and a hacker with physical access to your computer just needs to
> rename the SAM files or otherwise reset the Administrator account to be
able
> to log in as administrator annd decrypt your files. There are ways to
> secure this, you just need to be aware of how to fix this.
>
>
> "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> news:9DU0a.1892$PH1.1087378@newssrv26.news.prodigy.com...
> > Karl. Is that assuming recovery key had not been exported/deleted
from
> > stand alone computer?? I thought your EFS files are pretty safe as long
as
> > the user and recovery private keys are not on the computer (backed up
> > somehwhere else of course). --- Steve

---

• Next message: David Cross [MS]: "Re: Acceesing certificate"
• Previous message: Brian Palombo: "Cannot Open Local Policy Database"
• In reply to: Karl Levinson [x y] mvp: "Re: EFS file recovery on Win2k"
• Next in thread: Peter Thelin: "Re: EFS file recovery on Win2k"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Replace Domain Controller ... Depending on your EFS recovery you may also want to backup your EFS private ... Export your Private Key from Recovery Agent ... private key so that you can recover encrypted data in the event that you ... (microsoft.public.windows.server.active_directory) Re: Corrupted Admin Profile ... > My view on EFS: ... > Do not to use encryption unless you are in a domain and you know ... as well not having created a Recovery Agent (with backup of the ... > Q241201 How to Back Up Your Encrypting File System Private Key ... (microsoft.public.windowsxp.security_admin) Re: Corrupted Admin Profile ... > My view on EFS: ... > Do not to use encryption unless you are in a domain and you know ... as well not having created a Recovery Agent (with backup of the ... > Q241201 How to Back Up Your Encrypting File System Private Key ... (microsoft.public.windowsxp.security_admin) RE: XP native encryption ... If this is a stand-alone machine, the local administrator is the default ... (assuming the recovery key was not removed from ... I'm pretty familiar with EFS. ... then the only account that is ... (Security-Basics) Re: Cannot access files using backed-up EFS key... ... private key and then selected the option to delete the private key if export ... I suppose corruption of the EFS ... It would be in the user profile folder under documents and ... Support or with a program for EFS recovery from Elcomsoft ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)