Re: Windows Encryption - All too easy workaround?
From: Carey Frisch [MVP] (cnfrisch_at_nospamgmail.com)
Date: 03/11/05
- Next message: Wiley C: "members of "user" group cannot access internet"
- Previous message: Hipfidelity: "Re: SearchWWW"
- In reply to: AberTech: "Windows Encryption - All too easy workaround?"
- Next in thread: Malke: "Re: Windows Encryption - All too easy workaround?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Mar 2005 15:06:10 -0600
If someone were to changed the account password, the encrypted files
would remain encrypted and inaccessible. Windows XP creates a randomly
generated file encryption key (FEK) and then transparently encrypts the data,
using this FEK, as it is being written to disk. The FEK, and therefore the data
it encrypts, can be decrypted only with your certificate and its associated private key,
which are only available when you log on with your correct user name and password.
Other users who attempt to use your encrypted files receive an "access denied" message.
Even other administrators who have permission to take ownership of files are unable to
open your encrypted files.
Third-party tools could gain access to your computer, but not the encrypted files.
Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/EN-US/
You could also set a BIOS password that would prevent someone
from making a change to the boot order. Always set your hard drive
as the first bootable device, and not the CD Drive or floppy drive.
Therefore no one could boot into your system using a CD or floppy
disk.
-- Carey Frisch Microsoft MVP Windows XP - Shell/User Microsoft Newsgroups Be Smart! Protect Your PC! http://www.microsoft.com/athome/security/protect/default.mspx ------------------------------------------------------------------------------ "AberTech" wrote: | I have recently been looking into using the encryption tool in WinXP Pro for | added privacy/security. Then someone at work told me about a bootable CD | from winternals.com(?) called Super Acronis or Locksmith which allows you to | change the password for any user on that machine. A reboot later and you | can log on to that account - including Administrator with the new password. | As it is the account that your files were encrypted with, anyone who did | this would automatically be granted access to the encrypted files. They | even give you a 5 day working demo available for free! | | On looking at this NG I can see recent posts 'Forgotton Logon password' | which also cover this. | | If this is so easy to do, it made wonder if there is much point in using | Windows' encryption? Is the purchase of 3rd party software necessary to | ensure that files can be made secure/private?
- Next message: Wiley C: "members of "user" group cannot access internet"
- Previous message: Hipfidelity: "Re: SearchWWW"
- In reply to: AberTech: "Windows Encryption - All too easy workaround?"
- Next in thread: Malke: "Re: Windows Encryption - All too easy workaround?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
