Guest h128 Posted October 3, 2008 Posted October 3, 2008 Hello (Apologies for crosspost, I do not know where to post it. Searched something similar without result.) I'm new to EFS. I would understand how to use it and to expect from it. I have read many sites and many theory but not much I have found in practice. I have done the following things. I have crypted some files using the property tab of a directory. After, I have exported the private key in a separate file. I have set the flag delete if successful export, and it told me something like "you can not anymore delete or decrypt..." I am confused now, because I CAN STILL open and do everything with these files. So, what is the point of exporting and deleting the key??? Maybe it has still it somewhere, I thought... So, I went in the same snap in console and I deleted under certificates- personal the entry with my account name, and under reliable accounts I did same thing. After this, I CAN STILL open and do everything with these encrypted files. So, I changed the admin password and (obviously)... after this, I CAN STILL open and do everything with these encrypted files! I do not understand what to do to render unusable these files without the little key file I have removed from PC (everyone says put in floppy - no floppy from years ago here - and keep safe, ok but what is this? if i still access the files) If someone steal the hard disk and reset the admin password with some utilities, he can still read these files? EFS work only if the disk is put in another PC as slave? Please help or address to a pratical tutorial... Thx
Guest Shenan Stanley Posted October 4, 2008 Posted October 4, 2008 Re: Help with EFS h128 wrote: > Hello > (Apologies for crosspost, I do not know where to post it. Searched > something similar without result.) > > I'm new to EFS. > > I would understand how to use it and to expect from it. I have read > many sites and many theory but not much I have found in practice. > > I have done the following things. > > I have crypted some files using the property tab of a directory. > > After, I have exported the private key in a separate file. I have > set the flag delete if successful export, and it told me something like > "you can not anymore delete or decrypt..." > I am confused now, because I CAN STILL open and do everything with > these files. So, what is the point of exporting and deleting the > key??? > Maybe it has still it somewhere, I thought... > > So, I went in the same snap in console and I deleted under > certificates- personal the entry with my account name, and under > reliable accounts I did same thing. > > After this, I CAN STILL open and do everything with these encrypted > files. > So, I changed the admin password and (obviously)... after this, I > CAN STILL open and do everything with these encrypted files! > > I do not understand what to do to render unusable these files > without the little key file I have removed from PC (everyone says put in > floppy - no floppy from years ago here - and keep safe, ok but what > is this? if i still access the files) > > If someone steal the hard disk and reset the admin password with > some utilities, he can still read these files? EFS work only if the > disk is put in another PC as slave? > > Please help or address to a pratical tutorial... Yes. You can access them with your account without any input. Silently.. However - if someone changes your password using a method other than logging in with your current password and changing it as you (say someone with administrative rights resets it) - then those files cannot be accessed by you (nor could they ever have been accessed by anyone else on the computer.) That's where exporting the key comes in. Best practices for the Encrypting File System http://support.microsoft.com/kb/223316 You also want to know that you might have to change other things when using EFS in order to secure it more fully. Where Does EFS Fit into your Security Plan? http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html What is EFS? How can I use it to protect my files and folders? http://www.petri.co.il/what's_efs.htm -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html
Guest David H. Lipman Posted October 4, 2008 Posted October 4, 2008 Re: Help with EFS From: "h128" <nospam@nospamst.com> | Hello | (Apologies for crosspost, I do not know where to post it. Searched | something similar without result.) | I'm new to EFS. | I would understand how to use it and to expect from it. I have read many | sites and many theory but not much I have found in practice. | I have done the following things. | I have crypted some files using the property tab of a directory. | After, I have exported the private key in a separate file. I have set | the flag delete if successful export, and it told me something like "you | can not anymore delete or decrypt..." | I am confused now, because I CAN STILL open and do everything with these | files. So, what is the point of exporting and deleting the key??? | Maybe it has still it somewhere, I thought... | So, I went in the same snap in console and I deleted under certificates- | personal the entry with my account name, and under reliable accounts I | did same thing. | After this, I CAN STILL open and do everything with these encrypted files. | So, I changed the admin password and (obviously)... after this, I CAN | STILL open and do everything with these encrypted files! | I do not understand what to do to render unusable these files without | the little key file I have removed from PC (everyone says put in floppy | - no floppy from years ago here - and keep safe, ok but what is this? if | i still access the files) | If someone steal the hard disk and reset the admin password with some | utilities, he can still read these files? EFS work only if the disk is | put in another PC as slave? | Please help or address to a pratical tutorial... | Thx A EFS certificate in in your personal Certificate Store. As long as that cert. is still in your store thaan you can decrypt the files. If you delete the EFS cert. from the store, your files are lost. That why you backup the cert. If the cert. is deleted from your personal cert. store you can restore the cert. and decrypt the files again. BTW: The news group needed and you didn't find is; microsoft.public.security.crypto -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest h128 Posted October 4, 2008 Posted October 4, 2008 Re: Help with EFS Shenan Stanley wrote: > h128 wrote: >> Hello >> (Apologies for crosspost, I do not know where to post it. Searched >> something similar without result.) >> >> I'm new to EFS. >> >> I would understand how to use it and to expect from it. I have read >> many sites and many theory but not much I have found in practice. >> >> I have done the following things. >> >> I have crypted some files using the property tab of a directory. >> >> After, I have exported the private key in a separate file. I have >> set the flag delete if successful export, and it told me something like >> "you can not anymore delete or decrypt..." >> I am confused now, because I CAN STILL open and do everything with >> these files. So, what is the point of exporting and deleting the >> key??? >> Maybe it has still it somewhere, I thought... >> >> So, I went in the same snap in console and I deleted under >> certificates- personal the entry with my account name, and under >> reliable accounts I did same thing. >> >> After this, I CAN STILL open and do everything with these encrypted >> files. >> So, I changed the admin password and (obviously)... after this, I >> CAN STILL open and do everything with these encrypted files! >> >> I do not understand what to do to render unusable these files >> without the little key file I have removed from PC (everyone says put in >> floppy - no floppy from years ago here - and keep safe, ok but what >> is this? if i still access the files) >> >> If someone steal the hard disk and reset the admin password with >> some utilities, he can still read these files? EFS work only if the >> disk is put in another PC as slave? >> >> Please help or address to a pratical tutorial... > > > Yes. > You can access them with your account without any input. Silently.. > > However - if someone changes your password using a method other than logging > in with your current password and changing it as you (say someone with > administrative rights resets it) - then those files cannot be accessed by > you (nor could they ever have been accessed by anyone else on the computer.) > > That's where exporting the key comes in. > > Best practices for the Encrypting File System > http://support.microsoft.com/kb/223316 > > You also want to know that you might have to change other things when using > EFS in order to secure it more fully. > > Where Does EFS Fit into your Security Plan? > http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html > > What is EFS? How can I use it to protect my files and folders? > http://www.petri.co.il/what's_efs.htm > Thank you very much for your answer. I was experimenting EFS in an expendable WinXP PC, my real problem is a server where an SQL Server resides. It seems the sole mode to secure database files is encrypting the whole file system (apart crypt any single column of any table...), otherwise it is possible to copy them in another SQL Server installation (reading customers and credit cards and so on, it is the usual eshop site...), so EFS jumped in. I was worried a physical access to the machine could compromise privacy, like resetting administrator password from outside after grabbing the hard disk. Do you think there are further details for my specific problem, or the info and links you provided is enough and cover any use of the encryption?
Guest h128 Posted October 4, 2008 Posted October 4, 2008 Re: Help with EFS David H. Lipman wrote: > BTW: The news group needed and you didn't find is; microsoft.public.security.crypto Thank you I will search it, it is years I do not enter in Usenet.
Guest Patrick Keenan Posted October 4, 2008 Posted October 4, 2008 Re: Help with EFS "h128" <nospam@nospamst.com> wrote in message news:48e6c245$0$1078$4fafbaef@reader2.news.tin.it... > Shenan Stanley wrote: >> h128 wrote: >>> Hello >>> (Apologies for crosspost, I do not know where to post it. Searched >>> something similar without result.) >>> >>> I'm new to EFS. >>> >>> I would understand how to use it and to expect from it. I have read >>> many sites and many theory but not much I have found in practice. >>> >>> I have done the following things. >>> >>> I have crypted some files using the property tab of a directory. >>> >>> After, I have exported the private key in a separate file. I have >>> set the flag delete if successful export, and it told me something like >>> "you can not anymore delete or decrypt..." >>> I am confused now, because I CAN STILL open and do everything with >>> these files. So, what is the point of exporting and deleting the >>> key??? >>> Maybe it has still it somewhere, I thought... >>> >>> So, I went in the same snap in console and I deleted under >>> certificates- personal the entry with my account name, and under >>> reliable accounts I did same thing. >>> >>> After this, I CAN STILL open and do everything with these encrypted >>> files. >>> So, I changed the admin password and (obviously)... after this, I >>> CAN STILL open and do everything with these encrypted files! Yes. And at that point, it'd be a good idea to update the exported credential disk. However, if you now create another Admin level account and change the password of that original account from there, you will find that you no longer have decrypt access, until you re-import the credentials. The same will happen if you boot with a Linux password-reset tool and change it that way. >>> >>> I do not understand what to do to render unusable these files >>> without the little key file I have removed from PC (everyone says put in >>> floppy - no floppy from years ago here - and keep safe, ok but what >>> is this? if i still access the files) >>> >>> If someone steal the hard disk and reset the admin password with >>> some utilities, he can still read these files? No. In that case, they'll see the files, but only in encrypted format. Since you have a test system, which is great, you can show this to yourself. Easy to do with a $25 USB2 drive adapter. >>>EFS work only if the >>> disk is put in another PC as slave? EFS will allow decrypt access *if* you enter the account via a normal logon. If the password was reset from outside, decrypt is lost until the credentials are re-imported. >>> Please help or address to a pratical tutorial... >> >> >> Yes. >> You can access them with your account without any input. Silently.. >> >> However - if someone changes your password using a method other than >> logging in with your current password and changing it as you (say someone >> with administrative rights resets it) - then those files cannot be >> accessed by you (nor could they ever have been accessed by anyone else on >> the computer.) >> >> That's where exporting the key comes in. >> >> Best practices for the Encrypting File System >> http://support.microsoft.com/kb/223316 >> >> You also want to know that you might have to change other things when >> using >> EFS in order to secure it more fully. >> >> Where Does EFS Fit into your Security Plan? >> http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan.html >> >> What is EFS? How can I use it to protect my files and folders? >> http://www.petri.co.il/what's_efs.htm >> > > Thank you very much for your answer. > > I was experimenting EFS in an expendable WinXP PC, my real problem is a > server where an SQL Server resides. I'd like to say it's great to hear that you are trying this out for yourself on an expendable system rather than on real data. > It seems the sole mode to secure database files is encrypting the whole > file system (apart crypt any single column of any table...), otherwise it > is possible to copy them in another SQL Server installation You probably want to see this happen yourself. Log onto your test machine and copy some encrypted data to a folder on another system, or even a disk. You'll likely find that the copy is not encrypted because you have the correct credentials. Then, reverse the process - try connecting to the test system by way of another system - just browse the network, find the encrypted file, and copy it. Compare your results. > (reading customers and credit cards and so on, it is the usual eshop > site...), This may mean that there are legal requirements you must meet regarding data protection. You need to investigate this. > so EFS jumped in. > > I was worried a physical access to the machine could compromise privacy, You are right to. Physical access definitely compromises privacy. If someone can sit at the keyboard, the data is vulnerable. > like resetting administrator password from outside after grabbing the > hard disk. That's actually "safer" than having an unauthorised person sitting at the keyboard. And it's also part of why you need to be sure you have really good backups. This is one of the key features - and problems - with EFS. If the password is changed from outside the account, the credentials are invalidated and at that moment decrypt access to encrypted data is permanently lost, UNLESS the original account credentials are re-imported. Restoring the original password won't fix it. You need the credentials. This becomes a problem is when a Windows reinstall is done, which disrupts the credentials, and the user didn't export the originals. For you, it would also be a problem if that were your only copy of the data, or if the backups required the original credentials and you no longer have them. If you've stored them on the same hard disk in an unencrypted area, they are available to everybody. If you stored them in an encrypted area, nobody gets them. They should be on an external disk in a very secure location, with regular refreshes. One copy only is not really a great idea. As to floppies - yes, XP wants to export to floppies, get a $20 external USB floppy drive. It's a handy tool to have around. > Do you think there are further details for my specific problem, or the > info and links you provided is enough and cover any use of the encryption? You need to continue to test so you understand what's happening, and examine privacy legislation in your area to see what is legally required and what other companies do to comply with it. You also need to deal with the physical access issue, as well as secure and current backups. Be sure you can restore them to another system. EFS offers strong encryption that is easy to use and can help you, but you also need to understand its limitations adnd implications and how they can hurt you. HTH -pk
Guest David H. Lipman Posted October 4, 2008 Posted October 4, 2008 Re: Help with EFS From: "Patrick Keenan" <test@dev.null> | "h128" <nospam@nospamst.com> wrote in message | news:48e6c245$0$1078$4fafbaef@reader2.news.tin.it... >> Shenan Stanley wrote: >>> h128 wrote: >>>> Hello >>>> (Apologies for crosspost, I do not know where to post it. Searched >>>> something similar without result.) >>>> I'm new to EFS. >>>> I would understand how to use it and to expect from it. I have read >>>> many sites and many theory but not much I have found in practice. >>>> I have done the following things. >>>> I have crypted some files using the property tab of a directory. >>>> After, I have exported the private key in a separate file. I have >>>> set the flag delete if successful export, and it told me something like >>>> "you can not anymore delete or decrypt..." >>>> I am confused now, because I CAN STILL open and do everything with >>>> these files. So, what is the point of exporting and deleting the >>>> key??? >>>> Maybe it has still it somewhere, I thought... >>>> So, I went in the same snap in console and I deleted under >>>> certificates- personal the entry with my account name, and under >>>> reliable accounts I did same thing. >>>> After this, I CAN STILL open and do everything with these encrypted >>>> files. >>>> So, I changed the admin password and (obviously)... after this, I >>>> CAN STILL open and do everything with these encrypted files! | Yes. And at that point, it'd be a good idea to update the exported | credential disk. | However, if you now create another Admin level account and change the | password of that original account from there, you will find that you no | longer have decrypt access, until you re-import the credentials. | The same will happen if you boot with a Linux password-reset tool and change | it that way. >>>> I do not understand what to do to render unusable these files >>>> without the little key file I have removed from PC (everyone says put in >>>> floppy - no floppy from years ago here - and keep safe, ok but what >>>> is this? if i still access the files) >>>> If someone steal the hard disk and reset the admin password with >>>> some utilities, he can still read these files? | No. In that case, they'll see the files, but only in encrypted format. | Since you have a test system, which is great, you can show this to yourself. | Easy to do with a $25 USB2 drive adapter. >>>>EFS work only if the >>>> disk is put in another PC as slave? | EFS will allow decrypt access *if* you enter the account via a normal logon. | If the password was reset from outside, decrypt is lost until the | credentials are re-imported. >>>> Please help or address to a pratical tutorial... >>> Yes. >>> You can access them with your account without any input. Silently.. >>> However - if someone changes your password using a method other than >>> logging in with your current password and changing it as you (say someone >>> with administrative rights resets it) - then those files cannot be >>> accessed by you (nor could they ever have been accessed by anyone else on >>> the computer.) >>> That's where exporting the key comes in. >>> Best practices for the Encrypting File System >>> http://support.microsoft.com/kb/223316 >>> You also want to know that you might have to change other things when >>> using >>> EFS in order to secure it more fully. >>> Where Does EFS Fit into your Security Plan? >>> http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan. >>> html >>> What is EFS? How can I use it to protect my files and folders? >>> http://www.petri.co.il/what's_efs.htm >> Thank you very much for your answer. >> I was experimenting EFS in an expendable WinXP PC, my real problem is a >> server where an SQL Server resides. | I'd like to say it's great to hear that you are trying this out for yourself | on an expendable system rather than on real data. >> It seems the sole mode to secure database files is encrypting the whole >> file system (apart crypt any single column of any table...), otherwise it >> is possible to copy them in another SQL Server installation | You probably want to see this happen yourself. Log onto your test machine | and copy some encrypted data to a folder on another system, or even a disk. | You'll likely find that the copy is not encrypted because you have the | correct credentials. | Then, reverse the process - try connecting to the test system by way of | another system - just browse the network, find the encrypted file, and copy | it. Compare your results. >> (reading customers and credit cards and so on, it is the usual eshop >> site...), | This may mean that there are legal requirements you must meet regarding data | protection. You need to investigate this. >> so EFS jumped in. >> I was worried a physical access to the machine could compromise privacy, | You are right to. Physical access definitely compromises privacy. If | someone can sit at the keyboard, the data is vulnerable. >> like resetting administrator password from outside after grabbing the >> hard disk. | That's actually "safer" than having an unauthorised person sitting at the | keyboard. And it's also part of why you need to be sure you have really | good backups. | This is one of the key features - and problems - with EFS. If the password | is changed from outside the account, the credentials are invalidated and at | that moment decrypt access to encrypted data is permanently lost, UNLESS the | original account credentials are re-imported. Restoring the original | password won't fix it. You need the credentials. | This becomes a problem is when a Windows reinstall is done, which disrupts | the credentials, and the user didn't export the originals. | For you, it would also be a problem if that were your only copy of the data, | or if the backups required the original credentials and you no longer have | them. | If you've stored them on the same hard disk in an unencrypted area, they are | available to everybody. If you stored them in an encrypted area, nobody | gets them. They should be on an external disk in a very secure location, | with regular refreshes. One copy only is not really a great idea. | As to floppies - yes, XP wants to export to floppies, get a $20 external USB | floppy drive. It's a handy tool to have around. >> Do you think there are further details for my specific problem, or the >> info and links you provided is enough and cover any use of the encryption? | You need to continue to test so you understand what's happening, and examine | privacy legislation in your area to see what is legally required and what | other companies do to comply with it. You also need to deal with the | physical access issue, as well as secure and current backups. Be sure | you can restore them to another system. | EFS offers strong encryption that is easy to use and can help you, but you | also need to understand its limitations adnd implications and how they can | hurt you. | HTH | -pk EFS is NOT dependent upon the account password. EFS is dependent upon a OS (or Domain) generated EFS Certificate that is stored in the Personal Certificate Store. Example: I logon to this PC as "lipman" and I have captured a picture of the view of my Personal Certificate Store showing the OS generated EFS certificate { Note: I removed my Smart Card certs from my personal store first :-) } You will note this the gernerated certificate has a life span of ~100 years. A life expectancy to outlast the encrypted data and as long as this cert. stays in my personal store I can decrypt the encrypted files. NOTE: Files and folders that are encrypted will show in GREEN colour in Explorer views. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest John John (MVP) Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS David H. Lipman wrote: > From: "Patrick Keenan" <test@dev.null> > > | "h128" <nospam@nospamst.com> wrote in message > | news:48e6c245$0$1078$4fafbaef@reader2.news.tin.it... > >>>Shenan Stanley wrote: >>> >>>>h128 wrote: >>>> >>>>>Hello >>>>>(Apologies for crosspost, I do not know where to post it. Searched >>>>>something similar without result.) > > >>>>>I'm new to EFS. > > >>>>>I would understand how to use it and to expect from it. I have read >>>>>many sites and many theory but not much I have found in practice. > > >>>>>I have done the following things. > > >>>>>I have crypted some files using the property tab of a directory. > > >>>>>After, I have exported the private key in a separate file. I have >>>>>set the flag delete if successful export, and it told me something like >>>>>"you can not anymore delete or decrypt..." >>>>>I am confused now, because I CAN STILL open and do everything with >>>>>these files. So, what is the point of exporting and deleting the >>>>>key??? >>>>>Maybe it has still it somewhere, I thought... > > >>>>>So, I went in the same snap in console and I deleted under >>>>>certificates- personal the entry with my account name, and under >>>>>reliable accounts I did same thing. > > >>>>>After this, I CAN STILL open and do everything with these encrypted >>>>>files. >>>>>So, I changed the admin password and (obviously)... after this, I >>>>>CAN STILL open and do everything with these encrypted files! > > > > | Yes. And at that point, it'd be a good idea to update the exported > | credential disk. > > | However, if you now create another Admin level account and change the > | password of that original account from there, you will find that you no > | longer have decrypt access, until you re-import the credentials. > > | The same will happen if you boot with a Linux password-reset tool and change > | it that way. > > > > >>>>>I do not understand what to do to render unusable these files >>>>>without the little key file I have removed from PC (everyone says put in >>>>>floppy - no floppy from years ago here - and keep safe, ok but what >>>>>is this? if i still access the files) > > >>>>>If someone steal the hard disk and reset the admin password with >>>>>some utilities, he can still read these files? > > > | No. In that case, they'll see the files, but only in encrypted format. > > | Since you have a test system, which is great, you can show this to yourself. > | Easy to do with a $25 USB2 drive adapter. > > >>>>>EFS work only if the >>>>>disk is put in another PC as slave? > > > | EFS will allow decrypt access *if* you enter the account via a normal logon. > | If the password was reset from outside, decrypt is lost until the > | credentials are re-imported. > > > >>>>>Please help or address to a pratical tutorial... > > > >>>>Yes. >>>>You can access them with your account without any input. Silently.. > > >>>>However - if someone changes your password using a method other than >>>>logging in with your current password and changing it as you (say someone >>>>with administrative rights resets it) - then those files cannot be >>>>accessed by you (nor could they ever have been accessed by anyone else on >>>>the computer.) > > >>>>That's where exporting the key comes in. > > >>>>Best practices for the Encrypting File System >>>>http://support.microsoft.com/kb/223316 > > >>>>You also want to know that you might have to change other things when >>>>using >>>>EFS in order to secure it more fully. > > >>>>Where Does EFS Fit into your Security Plan? >>>>http://www.windowsecurity.com/articles/Where_Does_EFS_Fit_into_your_Security_Plan. >>>>html > > >>>>What is EFS? How can I use it to protect my files and folders? >>>>http://www.petri.co.il/what's_efs.htm > > > >>>Thank you very much for your answer. > > >>>I was experimenting EFS in an expendable WinXP PC, my real problem is a >>>server where an SQL Server resides. > > > | I'd like to say it's great to hear that you are trying this out for yourself > | on an expendable system rather than on real data. > > >>>It seems the sole mode to secure database files is encrypting the whole >>>file system (apart crypt any single column of any table...), otherwise it >>>is possible to copy them in another SQL Server installation > > > | You probably want to see this happen yourself. Log onto your test machine > | and copy some encrypted data to a folder on another system, or even a disk. > | You'll likely find that the copy is not encrypted because you have the > | correct credentials. > > | Then, reverse the process - try connecting to the test system by way of > | another system - just browse the network, find the encrypted file, and copy > | it. Compare your results. > > > >>>(reading customers and credit cards and so on, it is the usual eshop >>>site...), > > > | This may mean that there are legal requirements you must meet regarding data > | protection. You need to investigate this. > > >>>so EFS jumped in. > > >>>I was worried a physical access to the machine could compromise privacy, > > > | You are right to. Physical access definitely compromises privacy. If > | someone can sit at the keyboard, the data is vulnerable. > > >>> like resetting administrator password from outside after grabbing the >>>hard disk. > > > | That's actually "safer" than having an unauthorised person sitting at the > | keyboard. And it's also part of why you need to be sure you have really > | good backups. > > | This is one of the key features - and problems - with EFS. If the password > | is changed from outside the account, the credentials are invalidated and at > | that moment decrypt access to encrypted data is permanently lost, UNLESS the > | original account credentials are re-imported. Restoring the original > | password won't fix it. You need the credentials. > > | This becomes a problem is when a Windows reinstall is done, which disrupts > | the credentials, and the user didn't export the originals. > > | For you, it would also be a problem if that were your only copy of the data, > | or if the backups required the original credentials and you no longer have > | them. > > | If you've stored them on the same hard disk in an unencrypted area, they are > | available to everybody. If you stored them in an encrypted area, nobody > | gets them. They should be on an external disk in a very secure location, > | with regular refreshes. One copy only is not really a great idea. > > | As to floppies - yes, XP wants to export to floppies, get a $20 external USB > | floppy drive. It's a handy tool to have around. > > >>>Do you think there are further details for my specific problem, or the >>>info and links you provided is enough and cover any use of the encryption? > > > | You need to continue to test so you understand what's happening, and examine > | privacy legislation in your area to see what is legally required and what > | other companies do to comply with it. You also need to deal with the > | physical access issue, as well as secure and current backups. Be sure > | you can restore them to another system. > > | EFS offers strong encryption that is easy to use and can help you, but you > | also need to understand its limitations adnd implications and how they can > | hurt you. > > | HTH > | -pk > > > > EFS is NOT dependent upon the account password. > EFS is dependent upon a OS (or Domain) generated EFS Certificate that is stored in the > Personal Certificate Store. > > Example: > I logon to this PC as "lipman" and I have captured a picture of the view of my Personal > Certificate Store showing the OS generated EFS certificate > { Note: I removed my Smart Card certs from my personal store first :-) } > > You will note this the gernerated certificate has a life span of ~100 years. A life > expectancy to outlast the encrypted data and as long as this cert. stays in my personal > store I can decrypt the encrypted files. > > NOTE: Files and folders that are encrypted will show in GREEN colour in Explorer views. I think that if you were to change your password with a third party utiliy like Petter Nordahl's Offline Registry Editor you might find your certificate to be invalid. John
Guest David H. Lipman Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS From: "John John (MVP)" <audetweld@nbnet.nb.ca> | I think that if you were to change your password with a third party | utiliy like Petter Nordahl's Offline Registry Editor you might find your | certificate to be invalid. | John I'd like to see that tested as the EFS concept is not based upon the password. Only the account SID and the EFS certificate. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Shenan Stanley Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS <snip> John John (MVP) wrote: > I think that if you were to change your password with a third party > utiliy like Petter Nordahl's Offline Registry Editor you might > find your certificate to be invalid. David H. Lipman wrote: > I'd like to see that tested as the EFS concept is not based upon > the password. Only the account SID and the EFS certificate. This article: http://support.microsoft.com/kb/290260 .... seems to point to the fact that forcefully changing the users password through means other than doing it *as the user* may cause issues with EFS... Specifically: "After you reset the password of an account on a Windows XP-based computer that is joined to a workgroup, you may lose access to the user's: • Web page credentials. • File share credentials. • EFS-encrypted files. • Certificates with private keys (SIGNED/ENCRYPTed e-mail)." AND "Recovering Access to Encrypted EFS Data If you have encrypted some of your files by using the Encrypting File System (EFS), you have additional options to recover access to those encrypted files. The following provisions apply only to EFS encrypted files, and will not recover access to saved credentials or certificates. If you have previously exported the user's EFS private key from the user's account, you may import the key back into the account and recover access to the encrypted files. If you did not export the private key and you have defined a Data Recovery Agent (DRA) prior to encrypting the files, you may regain access to EFS files as the Data Recovery Agent. For additional information about how to recover data in this case, click the article number below to view the article in the Microsoft Knowledge Base: 255742 ( http://support.microsoft.com/kb/255742/EN-US/ ) Methods for Recovering Encrypted Data Files If you do not have the required items or information specified for the preceding recovery solutions, the data is permanently encrypted, and cannot be recovered." Not that I wouldn't mind seeing it tested, camtasia'd and put on the web for me to see. ;-) -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html
Guest John John (MVP) Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS David H. Lipman wrote: > From: "John John (MVP)" <audetweld@nbnet.nb.ca> > > | I think that if you were to change your password with a third party > | utiliy like Petter Nordahl's Offline Registry Editor you might find your > | certificate to be invalid. > > | John > > I'd like to see that tested as the EFS concept is not based upon the password. Only the > account SID and the EFS certificate. Petter mentions it here: http://home.eunet.no/~pnordahl/ntpasswd/faq.html Also note the following from Microsoft's Technet: Master Key Loss and Data Recovery If a logon password is forgotten or if an administrator resets a user password, the user’s master keys become inaccessible. Because the decryption key is derived from the user’s password, the system is unable to decrypt the master keys. Without the master keys, EFS-encrypted files are also inaccessible to the user and can be recovered only by a data recovery agent, if one has been configured, or through the use of a password reset disk (PRD), if one has been created. For more information, see article 290260, “EFS, Credentials, and Private Keys from Certificates Are Unavailable After a Password Is Reset,” in the Microsoft Knowledge Base at http://support.microsoft.com. http://technet.microsoft.com/en-us/library/bb457116.aspx EFS, Credentials, and Private Keys from Certificates Are Unavailable After a Password Is Reset http://support.microsoft.com/kb/290260 John
Guest David H. Lipman Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS From: "Shenan Stanley" <newshelper@gmail.com> | <snip> | John John (MVP) wrote: >> I think that if you were to change your password with a third party >> utiliy like Petter Nordahl's Offline Registry Editor you might >> find your certificate to be invalid. | David H. Lipman wrote: >> I'd like to see that tested as the EFS concept is not based upon >> the password. Only the account SID and the EFS certificate. | This article: | http://support.microsoft.com/kb/290260 | ... seems to point to the fact that forcefully changing the users password | through means other than doing it *as the user* may cause issues with EFS... | Specifically: | "After you reset the password of an account on a Windows XP-based computer | that is joined to a workgroup, you may lose access to the user's: | • Web page credentials. | • File share credentials. | • EFS-encrypted files. | • Certificates with private keys (SIGNED/ENCRYPTed e-mail)." | AND | "Recovering Access to Encrypted EFS Data | If you have encrypted some of your files by using the Encrypting File System | (EFS), you have additional options to recover access to those encrypted | files. The following provisions apply only to EFS encrypted files, and will | not recover access to saved credentials or certificates. | If you have previously exported the user's EFS private key from the user's | account, you may import the key back into the account and recover access to | the encrypted files. | If you did not export the private key and you have defined a Data Recovery | Agent (DRA) prior to encrypting the files, you may regain access to EFS | files as the Data Recovery Agent. For additional information about how to | recover data in this case, click the article number below to view the | article in the Microsoft Knowledge Base: | 255742 ( http://support.microsoft.com/kb/255742/EN-US/ ) Methods for | Recovering Encrypted Data Files | If you do not have the required items or information specified for the | preceding recovery solutions, the data is permanently encrypted, and cannot | be recovered." | Not that I wouldn't mind seeing it tested, camtasia'd and put on the web for | me to see. ;-) | -- | Shenan Stanley | MS-MVP | -- | How To Ask Questions The Smart Way | http://www.catb.org/~esr/faqs/smart-questions.html I think the statement... "After you reset the password of an account on a Windows XP-based computer that is joined to a workgroup, you may lose access to the user's: • Web page credentials. • File share credentials. • EFS-encrypted files. • Certificates with private keys (SIGNED/ENCRYPTed e-mail)." concerns the SID. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest David H. Lipman Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS From: "John John (MVP)" <audetweld@nbnet.nb.ca> | David H. Lipman wrote: >> From: "John John (MVP)" <audetweld@nbnet.nb.ca> >> | I think that if you were to change your password with a third party >> | utiliy like Petter Nordahl's Offline Registry Editor you might find your >> | certificate to be invalid. >> | John >> I'd like to see that tested as the EFS concept is not based upon the password. Only >> the >> account SID and the EFS certificate. | Petter mentions it here: http://home.eunet.no/~pnordahl/ntpasswd/faq.html | Also note the following from Microsoft's Technet: | Master Key Loss and Data Recovery | If a logon password is forgotten or if an administrator resets a user | password, the user’s master keys become inaccessible. Because the | decryption key is derived from the user’s password, the system is unable | to decrypt the master keys. Without the master keys, EFS-encrypted files | are also inaccessible to the user and can be recovered only by a data | recovery agent, if one has been configured, or through the use of a | password reset disk (PRD), if one has been created. For more | information, see article 290260, “EFS, Credentials, and Private Keys | from Certificates Are Unavailable After a Password Is Reset,” in the | Microsoft Knowledge Base at http://support.microsoft.com. | http://technet.microsoft.com/en-us/library/bb457116.aspx | EFS, Credentials, and Private Keys from Certificates Are Unavailable | After a Password Is Reset | http://support.microsoft.com/kb/290260 | John OK. That's interesting and I'll make note of that to test it. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest David H. Lipman Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS From: "John John (MVP)" <audetweld@nbnet.nb.ca> OK -- I concede, I was mistaken. This is an important point in the light of EFS being a DAR complaint solution. If a malicious actor steals a notebook that has data encrypted using EFS, the actor will be unable to decrypt the data even if the password to the account has been cracked. This is different in the situation of cryptographic logons where account names and passwords are not used, a Smart Card is used for account authentication. In thta scenario the malicious actor would need physical access to the Smart Card and have to know the PIN. ** My apologies go to Patrick Keenan for injecting faux information into the thread. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest sandy58 Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS On Oct 4, 12:57 am, h128 <nos...@nospamst.com> wrote: > Hello > (Apologies for crosspost, I do not know where to post it. Searched > something similar without result.) > > I'm new to EFS. > > I would understand how to use it and to expect from it. I have read many > sites and many theory but not much I have found in practice. > > I have done the following things. > > I have crypted some files using the property tab of a directory. > > After, I have exported the private key in a separate file. I have set > the flag delete if successful export, and it told me something like "you > can not anymore delete or decrypt..." > I am confused now, because I CAN STILL open and do everything with these > files. So, what is the point of exporting and deleting the key??? > > Maybe it has still it somewhere, I thought... > > So, I went in the same snap in console and I deleted under certificates- > personal the entry with my account name, and under reliable accounts I > did same thing. > > After this, I CAN STILL open and do everything with these encrypted files.. > > So, I changed the admin password and (obviously)... after this, I CAN > STILL open and do everything with these encrypted files! > > I do not understand what to do to render unusable these files without > the little key file I have removed from PC (everyone says put in floppy > - no floppy from years ago here - and keep safe, ok but what is this? if > i still access the files) > > If someone steal the hard disk and reset the admin password with some > utilities, he can still read these files? EFS work only if the disk is > put in another PC as slave? > > Please help or address to a pratical tutorial... > Thx http://www.microsoft.com/technet/security/smallbusiness/topics/cryptographyetc/protect_data_efs.mspx Hope this helps, h128. Good luck
Guest h128 Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS Thank you all for the interesting thread. By the way, David, microsoft.public.security.crypto is not in my news server, sorry. Patrick Keenan wrote: > > Yes. And at that point, it'd be a good idea to update the exported > credential disk. > While it is everything you all said enough clear, this point leave me a doubt. I have tried exporting private key with the option "delete after successful exportation", after this, successive exports are not available, so I would ask what exactly you meant. In fact, it is not clear, if the OS deletes private key after the export, my doubt can be formulated such way (I am not saying it is not my fault if I have still doubts): it can still decrypt the files (without logging out, or changing password, or removing disks and so on...) so that key should be somewhere else on the system... so what it deleted? In another words, ff "all the necessary stuff for decryption (whatever this is)" remains on disk after removing that key after export, this "necessary stuff" is still there if the disk is physically stolen... or not? > The same will happen if you boot with a Linux password-reset tool and change > it that way. In fact, I am now a bit more secure about the disks removed without consent. I do know utilities for resetting passwords with a physical disk with installed Windows, but I do not know if there are similar programs for virtual Windows installations over some *nix machine as many economic ISP do for hosting. > I'd like to say it's great to hear that you are trying this out for yourself > on an expendable system rather than on real data. (that site is core of company, that was obvious for good common sense first...) > As to floppies - yes, XP wants to export to floppies, get a $20 external USB > floppy drive. It's a handy tool to have around. That was humorous, I meant every site I visited (before this newsgroup) said: store the key in a floppy, instead of "in a safe place" (an usb key for example). > You need to continue to test so you understand what's happening, and examine > privacy legislation in your area to see what is legally required and what > other companies do to comply with it. You also need to deal with the > physical access issue, as well as secure and current backups. Be sure > you can restore them to another system. Actually it is easy that the legal requirements are different from technical ones, so when I am sure of a work I leave details to the company lawyer. I mean, if I can be sincere, I do not care so much of the LEGAL stuff, in front of the ILLEGAL stuff, like corrupt ISP employess lending disk images to another company, laptops with sensitive data forgotten on a taxi, or sold and found on ebay... So I think it is a lucky thing my new comapny choose an economic ISP without automated backup service, otherwise even if I encrypt now, maybe old unencrypted backup copies still exist somewhere in the ISP building! (better than nothing, for a thief) As for recovery, I never meant to rely of EFS for it. I backup data unencrypted and I crypt them with third part utility, I trust more, not for the raw level of encryption, but for these many dark details we are discussing here. EFS is just the first tool I wanted try for protection "on the fly", if the original disk is stolen or destroyed it is not a big issue using a 2 day old backup, compared with the disclosure of the database content. Again, thx to all.
Guest Shenan Stanley Posted October 5, 2008 Posted October 5, 2008 Re: Help with EFS <snipped> h128 wrote: <snipped> > By the way, David, microsoft.public.security.crypto is not in my > news server, sorry. For Microsoft related newsgroups - you should likely point your newsreader to news.microsoft.com or msnews.microsoft.com (as the server.) It's your best choice for reading Microsoft Newsgroups. http://www.microsoft.com/communities/guide/nntpnews.mspx Good Luck! -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html
Recommended Posts