Re: EFS

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 09/25/03 

Date: Thu, 25 Sep 2003 13:49:02 -0700

I will not argue about EFS architecture - the decisions weren't mine and I
won't claim to agree or disagree with them.

- In most cases, the user's password is needed to decrypt the files even
with the Elmsoft software. If I know a user's password, I can already
access the encrypted files.
- Any local admin that can install a filter driver is yet another attack
vector.

Note that with XP and Server 2003, EFS over WebDAV is enabled. EFS over
WebDAV mitigates against both of these attacks, blocking Elmsoft unless you
also run from a machine that has the user's keys. 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Dmitry Korolyov" <d__k@nospamformorons.mail.ru> wrote in message
news:uCZYwM2gDHA.1760@TK2MSFTNGP09.phx.gbl...
> In other words, for a regular scenario where security sensible project
files
> stored in a single folder need to be encrypted and shared between members
of
> the project group, you force us to manually add users who will be able to
> decrypt to each of the hundreds of files and subfolders, instead of making
> it single and simple option at a parent folder level. Yes the folder as
> object itself does not contain anything to encrypt, yet it could have some
> attributes which may propagate to subfolders and files, automatically
> configuring "efs sharing" for them.
>
> On the other hand, why would anyone want to use EFS on a file server in a
> shared scenario? If the server isn't protected PHYSICALLY, it does not
> matter what other tricks you use. Just wait few months and Elcomsoft's EFS
> Data Recovery will be able to grab data from server 2003, not only from
W2k,
> XP and XP SP1.
>
> -- 
> Dmitry Korolyov,
> d__k@nosmapformorons.mail.ru
> To e-mail me, remove "nospamformorons".
>
>
> "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> wrote in message
> news:#m8RYFigDHA.1760@TK2MSFTNGP09.phx.gbl...
> > IMHO "EFS file sharing" is an unfortunate choice of words on Microsoft's
> > part.  It confuses the EFS behavior with concepts like network shares.
> > Because the folder itself isn't likely to have any interesting NTFS
> streams
> > and because we don't cascade EFS metadata from a parent folder to all of
> its
> > child objects, we don't support adding users to a folder.
> >
> > For EFS best practices, see:
> >
>
http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/default.asp
> >
> > -- 
> > Drew Cooper [MSFT]
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "V" <ismmm@hotmail.com> wrote in message
> > news:ORI0JCegDHA.632@tk2msftngp13.phx.gbl...
> > > In W2K3, I'm aware that you can share EFSed files with others by using
> the
> > > details button, but is there a way to share EFSed folders? If not, why
> > would
> > > you share individual files and not be able to allow sharing of
folders?
> > >
> > >
> >
> >
>
>
Quantcast