EFS and System Cryptography Group Policy - Windows XP SP2

From: Brent (Brent_at_discussions.microsoft.com)
Date: 03/14/05 

Date: Mon, 14 Mar 2005 10:57:04 -0800

I am trying to secure a standalone laptop computer that contains sensitive
data. Some information in the Resourse Kit and Knowledge Base has me
confused.

In Chapter 17 of the Windows XP resourse kit it states quote

"You can strengthen security by replacing the default DESX algorithm with
3DES. In a stand-alone environment, enabling 3DES is recommended."

In a knowledge base article quote

"Encrypting File System (EFS) is also affected by this setting. By default,
Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit
key length. If the Windows high encryption pack is installed, the key length
for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows
XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS
uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key
length. However, if you enable the System cryptography: Use FIPS compliant
algorithms for encryption, hashing, and signing setting on these computers,
the operating system will use 3DES with a 128-bit key length instead."

So am I reducing the level of security by enabling the group policy on an XP
SP2 computer or increasing it?

(http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_awzg.asp)

http://support.microsoft.com/kb/811833

Relevant Pages

  • You are COMPLETELY correct!
    ... algorithm was DES and assumed 56 bit like I did. ... Windows 200 WS and Server that explain exactly what you say. ... unless the 128-bit encryption pack is applied. ...
    (alt.computer.security)
  • Re: how these 2 functions may differ?
    ... I was thinking of turning the windows forms app I used as a test harness into a little general purpose encryption/decryption utility for the supported .net algorithms... ... you not using the encryption functions built in to Windows? ... This algorithm is supported by the Microsoft Base Cryptographic Provider. ... it should have been as simple as calling new CryptoAPITransform and passing the right algid. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Cannot Decrypt Data after formatting partition
    ... Same algorithm, just no access to the old keys. ... Remove File Encryption in Windows XP ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Decrypting a data protected by ProtectedData.Protect() on another PC.
    ... Some encryption strategies use the machine so that the algorithm actually uses part of the machine to encrypt and decrypt meaning that you can't decrypt from another machine. ... How will you make it available to the encryption/decryption algorithm - that's the major sticking point with windows type applications. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: encription in XP
    ... I see you're a little confused about encryption. ... There are two versions of Windows XP. ... When sending information through the Internet, the current standard for ... Banks, for example, routinely use passwords ...
    (microsoft.public.windowsxp.security_admin)