Re: External disk security

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/08/04

• Next message: anonymous_at_discussions.microsoft.com: "Re: Administrator account does not have rights"
• Previous message: Jud: "Re: Ip Tracking (email Tracking)"
• In reply to: Zen Andreas: "Re: External disk security"
• Next in thread: Zen Andreas: "Re: External disk security"
• Reply: Zen Andreas: "Re: External disk security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 08 Jun 2004 19:37:55 GMT

No. Encryption overrides ntfs permissions as far as access to the data. Another user
may be able to delete your data but not access unless they are a recovery agent on
the file or know your password AND have access to the EFS private keys. You can not
add recovery agents after the fact. If your disk was stolen and attached to another
computer, they would not be able to access your EFS files if your and the recovery
agents private keys are not on the disk which would still require your password to
access. Let someone who has never had their computer connected to your drive connect
it to their computer and you will see they can not access the data in the EFS files
even it they give themselves full control of the drive or folders. --- Steve

"Zen Andreas" <zen8069@zen.co.uk> wrote in message
news:OwIOf2YTEHA.3660@tk2msftngp13.phx.gbl...
> I have tried this, but noticed that if you give the disk to
> someone who happens to use Win2000 too and is logged in as an
> administrator, he or she can add himself to the list of users
> granting himself access to the directories without any
> trouble..... This would make encryption obsolete?
> This worked without copying a certificate to the other machine...
>
> Is there anyway of simply restricting it to 2 computers? On both
> computers I have administrator access and I do not need it on any
> other computer...
>
> Many thanks for your help.
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:L3nxc.4940$0y.4172@attbi_s03...
> > The only way would be to use encryption such as EFS. If the
> drive has no operating
> > system on it and no user profiles then a third party finding it
> would not be able to
> > decrypt the EFS files since they would not have access to the
> EFS private key that is
> > needed and stored in the users and recovery agents profile. In
> W2K two parties can
> > decrypt EFS files - the user who decrypted them and the
> designated recovery agent[s]
> > who would be the built in administrator account by default on a
> stand a alone machine
> > and possibly a domain administrator,etc on a domain machine.
> Efs info can show what
> > users can decrypt a file and their related thumbprint info for
> the associated
> > certificate/private key. If you use EFS if is a good idea to
> run cipher /w on the
> > drive before shutting down to try to remove any cleartext
> remnants of encrypted
> > files. EFS has it's hazards in that if you have to reinstall
> the operating system and
> > you do not back up your EFS private keys, you will lose
> permanent access to your
> > data. Be sure to read the link below on EFS best
> ractices. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
> >
> > "Zen Andreas" <zen8069@zen.co.uk> wrote in message
> > news:u9e6cVWTEHA.2236@TK2MSFTNGP09.phx.gbl...
> > > I have an external disk (60GB) which I use daily between my
> home-
> > > and the office-computer.
> > > Both computers run Win2000.
> > >
> > > I have tried to encrypt the data and add user rights, but
> using
> > > other computers this is easy to change once logged in as
> > > administrator on a third party Win2k computer.
> > > What is the best way of securing access to this (firewire)
> disk
> > > (or directories) such that if I loose it "no one" can have
> (easy)
> > > access to it?
> > >
> > > Many thanks
> > >
> > > --
> > > Zen Andreas
> > >
> > >
> >
> >
>
>

---

• Next message: anonymous_at_discussions.microsoft.com: "Re: Administrator account does not have rights"
• Previous message: Jud: "Re: Ip Tracking (email Tracking)"
• In reply to: Zen Andreas: "Re: External disk security"
• Next in thread: Zen Andreas: "Re: External disk security"
• Reply: Zen Andreas: "Re: External disk security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: External disk security ... The only way would be to use encryption such as EFS. ... decrypt the EFS files since they would not have access to the EFS private key that is ... (microsoft.public.win2000.security) Re: Dynamic disk ... purpose and for day-to-day use aren't recommended. ... with Encryption (EFS) are once enabled, ... your drives in "Basic Disk" mode. ... (microsoft.public.windowsxp.general) Re: 128 Bit Encryption ... > I was asked if we use encryption where I work and I ... > 2000 server." ... Encrypting data on disk (I.e., EFS) ... (microsoft.public.win2000.security) RE: Protecting sensitive files on a Windows file server ... especially secure (using the file encryption is better though). ... Protecting sensitive files on a Windows file server ... recovery (which can also break EFS) and online password/data recovery ... (Security-Basics) Re: EFS Private Keys ... It's possible to have a cluster that was in use that couldn't be wiped. ... > syskey was to EFS in W2K, ... >>> the private keys are protected however the key to the private key is ... >>> stronger encryption available for EFSfiles permanently if you don't. ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)