RE: EPS

Is there any need to remove the certificates from the laptop or does that
render encryption/ decryption inoperative?

thank you

"Pat Hoffer [MSFT]" wrote:

You are right that EFS will protect the files from a malicious user who gains
access to the drive where the files are stored. The EFS certificate and key
are stored in the laptop user's profile directory and protected with a hash
of the user's password. (Encourage your users to use strong logon
passwords.) The thief would need both to access the certificate and key and
then the files.

Creating backups is very important. If for some reason the laptop user
loses access to the files, that user can regain access after importing the
certificate and key from a backup. If the laptops are under a domain policy
that has a recovery certificate and that policy has applied to the files, the
files can also be recovered using that recovery certificate and key.

General information about EFS and data recovery:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Information about EFS on Windows XP (This includes the exporting and
importing of certificates. You can get directly to the user's Certificates
store by running certmgr.msc and expanding the Personal node. You can also
get it by running mmc.exe, adding the Certificates snap-in for the current
user, and expanding the Personal node. EFS usually uses only one certificate
per user for encrypting all files; but if there are multiple EFS certificates
in the store, back up all to be safe.):
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c18621675.mspx

Thanks.
Pat

--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Andy" wrote:

After having some laptops stolen we wish to add a layer of security to our
stand alone notebbooks which prevents the thief gaining access to the
harddrive partitions when they reinstall the OS or slave the drive
From reading around EFS is the answer.

Can anyone advise me if my theory is good

- We Encrypt all the folders on the PC.
- The folders remain workable to the user but if the computer is stolen
these folders cannot be accessed even if a new OS is installed.
- We need to back up the cerificate and keys for each folder we encrypt
just in case there is a problem later. To do this we Open the Certificates
snap-in and export them from their - however where/what is the
"certifcates snap in" ?! I cannot locate this in accessories or anywhere
else

I would apprecaite any feedback from any security experts on this matter.



.

Relevant Pages

  • Re: Windows XP -- encrypt, decrypt -- I am in deep TROUBLE -- HELP
    ... Most of the time people post regarding EFS, it's a story without a happy ... MS did a great job of making strong encryption available, ... I'm just beginning to look into encrypted folders or entire drives and ... though it would be a good idea to re-export certificates. ...
    (microsoft.public.windowsxp.general)
  • Re: EFS woes
    ... so this broke your access to use EFS 1 ... So when you use the Certificates mmc tool you only see ... same answer - what is in the profile's cert store? ... The profile and the laptop is ...
    (microsoft.public.windowsxp.security_admin)
  • Certificates - Multiple machines - one user
    ... I've got a question about users certificates. ... begun issuing certs to users. ... authentication, both for wireless and wired connections. ... key's on the laptop and can therefore not authenticate to the network. ...
    (microsoft.public.security)
  • Re: Accessing Encrypted File
    ... A few days ago I encrypted a few folders with some ... important files using XP SP3 EFS procedures. ... You should have backed up your encryption keys before committing data ... but with no certificates you cannot access the files. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Certifcate error?!?
    ... think its the website, just on my laptop. ... Windows comes pre-loaded with a set of trusted certificates. ... "Trusted Root Certification Authorities" tab. ...
    (microsoft.public.windowsxp.general)