Re: win 2000 file encyption
From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 01/30/04
- Next message: Steven Umbach: "Re: messenger service"
- Previous message: Werner Miehle: "Administrator can not logon on the server in an interactive session"
- In reply to: Drew Cooper [MSFT]: "Re: win 2000 file encyption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Jan 2004 08:45:37 GMT
Not to mention if they did all that and did not know about the concept of the
recovery agent which is required in W2K and they are not using the built in
admin account as their user account, then there probably is still an EFS private
key for potential decryption of the files on the machine. --- Steve
"Drew Cooper [MSFT]" <dcoop@online.microsoft.com> wrote in message
news:ujghLBt5DHA.2380@TK2MSFTNGP10.phx.gbl...
> Security isn't a game of absolutes if you want a useful machine.
>
> Yes, the keys are on the HD. They're in that user's profile. They're
> encrypted by DPAPI, which through a series of keys encrypting other keys
> ultimately encrypts a key with the user's SID and password. So if you want
> EFS to be more secure, use a strong password.
>
> Yes, there would be some value in removing the keys, but the user experience
> would suck. It would flow like this:
> 1. Ok - I'm done on this machine now - I'll export my cert with private key,
> put them on a floppy if I haven't already done so, and delete them on the
> HD.
> 2. That material might still be on the disk even though I deleted it - I
> should scrub my drive.
> (half and hour later)
> 3. Ahh - I can finally log off.
> (back at the machine the next day)
> 4. Time to log on and do some work. Where's that floppy?
> (if floppy is lost so is the data, otherwise continue)
> 5. Here's the floppy! Import the certificate with private key.
> 6. Put the floppy in a safe so that someone else doesn't get the key pair.
> 7. Work's over! Time to go back to #1.
>
> The key on a USB dongle or a smartcard might make sense, but we don't
> currently offer that capability.
> --
> Drew Cooper [MSFT]
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Richard Jake" <sorry@sorry.com> wrote in message
> news:bvc7qo$q2c$1@jura.cc.ic.ac.uk...
> > I have setup an encrypted folders on a laptop running win2000.
> >
> > What I am concerned about is that both the encryption keys and the
> encrypted
> > files must be on the HD disk somewhere. In which case if the laptop was
> > stolen and someone transfered the HD to there PC, surely all the
> information
> > (keys + files) for de-encryprting the files will be available to them.
> >
> > Surely for it to be secure one of the keys must be kept external to the
> > laptop.
> >
> >
> >
> >
> >
>
>
- Next message: Steven Umbach: "Re: messenger service"
- Previous message: Werner Miehle: "Administrator can not logon on the server in an interactive session"
- In reply to: Drew Cooper [MSFT]: "Re: win 2000 file encyption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
