Re: Crypt questions
From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 06/30/02
- Next message: Roger Abell [MVP]: "Re: deleting administrator"
- Previous message: Doug Dornelles: "password help????"
- In reply to: M O J O: "Crypt questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> Date: Sun, 30 Jun 2002 01:10:00 -0700
"M O J O" <m o j o @ n e w w e b s o l u t i o n s . d k> wrote in message
news:OXvgM2vHCHA.1632@tkmsftngp10...
> Hi,
>
> I hope you will find some time to answer my questions ... please :o)
>
will try
> I've never worked with Windows XP Pro encryption before, so please forgive
> my lack of knowledge.
>
we all start somewhere
> Here's my questions:
>
> 1) Is WinXP Pro excryption/decryption safe? I mean has it been hacked?
Not to my knowledge, but it seems likely that the default algorithm
is within reach of some agencies with mega CPU power.
> Buggy?
EFS in W2k and XP is not buggy.
However, there are some issues with what controls how
you can get a handle on what is needed to decrypt files
in XP (specifically, with what happens when an account's
password is changed). AFAIK these are fixed in XP SP1
and these can also be worked around in the English version.
>
> 2) I use a moveable (slave) harddrive to take my data from work to home.
If
> I encrypt data on this drive, will it be visible to both machines?
No. It will be encrypted and so not visible in the clear to all.
For the right account it can be decrypted if both accounts have
the correct certificate imported. If the machines are not both
XP (i.e. one is W2k) you will have some restrictions on what
algorithm you can use as there are more options here in XP
than in W2k. The default should work in both.
>
> 3) At work we have several laptops. If I encrypt the harddrives (NTFS) on
> these machines, will a theif be able to decrypt the data?
This depends. Are the machines in a domain or standalone, and
are they W2k or XP ? Also, if the machines are probed for
their SAM and the accounts brute cracked, then the thief can
just log in with existing accounts. In this case, local accounts
(non-domain) that have their certs in them will let them at the
encrypted data just as they would allow the valid account holder.
W2k standalone has some weakness, that can be prevented,
but present in the default state (take control of the default
recovery agent or remove the decryption key from the system).
XP in the default state no longer has this issue.
A secured environment would have the laptops with a recovery
agent defined and the decryption key removed, and the laptops
would require smartcard login when getting more extreme.
Given the above cares, and/or use of the machines in a domain,
there is very little the thief could do except throw time on a
supercomputer at attempting to get into the files.
>
> Thanks!!!!!!!!!
>
> Regards,
> M O J O
- Next message: Roger Abell [MVP]: "Re: deleting administrator"
- Previous message: Doug Dornelles: "password help????"
- In reply to: M O J O: "Crypt questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
