Re: Please help me understand

From: Steven L Umbach (n9rou@attbi.com)
Date: 03/10/03 

From: "Steven L Umbach" <n9rou@attbi.com>
Date: Mon, 10 Mar 2003 03:19:26 GMT

       By default XP in a non domain environment will not create a efs
recovery agent like W2K did. This was done of course to help prevent efs
data decryption by unauthorized persons as you described, at the expense of
not having the administrator account be able to easily recover the files. I
just wish MS would offer the ability to display a log off/shutdown message
to users of efs reminding them to save/export their keys and remind them
their data is not secure as long as they leave their key on their computer.
But I guess that would go over as well as those automatic shoulder seat
belts they had a few years back. -- Steve

http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/defa
ult.asp

"Karl Levinson [x y], mvp" <levinson_k@despammed.com> wrote in message
news:ehF5zLp5CHA.1512@TK2MSFTNGP12.phx.gbl...
 I think this shouldn't be a huge problem, because AFAIK the files can still
> be decrypted by an administrator that has the rights to do so... and also
> you really really want to back up your encryption keys as another way to
> prevent data loss. EFS can be very secure, but only if you implement it
> properly... otherwise, it's possible to lose your files or for them to not
> be terribly secure. More information on what you'd need to do:
>
> http://securityadmin.info/faq.htm#efs
>
>
> "An Metet" <anmetet@freedom.gmsociety.org> wrote in message
> news:2ccea48ca22dd806835bd115bf2d95e2@anonymous.poster...
>
> > My question:
> >
> > I simply can not understand why the assumption is made that the
> > administrator is malicious. Could somebody help me out with
> > this one? If somebody forgets a password then the administrator
> > is expected to be able to reset the password and restore access:
> > why on earth would they make it so that this was not possible?
>
>

Relevant Pages

  • Re: lost profile, can encrypted file be recovered
    ... Windows 2000 requires the use of a Recovery Agent for EFS. ... machine it would be the built in administrator account which you may want to ... Recovery Agent which would by default be the the built in administrator ...
    (microsoft.public.win2000.security)
  • Re: Built In Admin account vs Created one
    ... that by default the administrator account is the EFS Recovery Agent on ...
    (microsoft.public.win2000.security)
  • Re: Data security question in MCSE 70-270 exam
    ... Unless the local built in administrator is the recovery agent due to no recovery ... local administrator account password could be reset and access then gained to EFS ...
    (microsoft.public.win2000.security)
  • Re: encryption for W2K
    ... > Windows 2000 was the first to offer EFS encryption. ... > requires a recovery agent that will by default be the built in ... > account on a non domain machine or the original administrator ...
    (microsoft.public.win2000.security)
  • Re: WIN2000 Encrypted Folders & Administrator Profile
    ... Many thanks for your invaluable help. ... >> you may be able to recover the EFS files. ... >> profile of the user and Recovery Agent for those files. ... without exported private keys to ...
    (microsoft.public.win2000.security)