A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Help with EFS



 
 
Thread Tools Display Modes
  #1  
Old October 4th 08, 12:57 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
h128
external usenet poster
 
Posts: 12
Default Help with EFS

Hello
(Apologies for crosspost, I do not know where to post it. Searched
something similar without result.)

I'm new to EFS.

I would understand how to use it and to expect from it. I have read many
sites and many theory but not much I have found in practice.

I have done the following things.

I have crypted some files using the property tab of a directory.

After, I have exported the private key in a separate file. I have set
the flag delete if successful export, and it told me something like "you
can not anymore delete or decrypt..."
I am confused now, because I CAN STILL open and do everything with these
files. So, what is the point of exporting and deleting the key???

Maybe it has still it somewhere, I thought...

So, I went in the same snap in console and I deleted under certificates-
personal the entry with my account name, and under reliable accounts I
did same thing.

After this, I CAN STILL open and do everything with these encrypted files.

So, I changed the admin password and (obviously)... after this, I CAN
STILL open and do everything with these encrypted files!

I do not understand what to do to render unusable these files without
the little key file I have removed from PC (everyone says put in floppy
- no floppy from years ago here - and keep safe, ok but what is this? if
i still access the files)

If someone steal the hard disk and reset the admin password with some
utilities, he can still read these files? EFS work only if the disk is
put in another PC as slave?

Please help or address to a pratical tutorial...
Thx

Ads
  #2  
Old October 4th 08, 01:28 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
Shenan Stanley
external usenet poster
 
Posts: 10,523
Default Help with EFS

h128 wrote:
Hello
(Apologies for crosspost, I do not know where to post it. Searched
something similar without result.)

I'm new to EFS.

I would understand how to use it and to expect from it. I have read
many sites and many theory but not much I have found in practice.

I have done the following things.

I have crypted some files using the property tab of a directory.

After, I have exported the private key in a separate file. I have
set the flag delete if successful export, and it told me something like
"you can not anymore delete or decrypt..."
I am confused now, because I CAN STILL open and do everything with
these files. So, what is the point of exporting and deleting the
key???
Maybe it has still it somewhere, I thought...

So, I went in the same snap in console and I deleted under
certificates- personal the entry with my account name, and under
reliable accounts I did same thing.

After this, I CAN STILL open and do everything with these encrypted
files.
So, I changed the admin password and (obviously)... after this, I
CAN STILL open and do everything with these encrypted files!

I do not understand what to do to render unusable these files
without the little key file I have removed from PC (everyone says put in
floppy - no floppy from years ago here - and keep safe, ok but what
is this? if i still access the files)

If someone steal the hard disk and reset the admin password with
some utilities, he can still read these files? EFS work only if the
disk is put in another PC as slave?

Please help or address to a pratical tutorial...



Yes.
You can access them with your account without any input. Silently..

However - if someone changes your password using a method other than logging
in with your current password and changing it as you (say someone with
administrative rights resets it) - then those files cannot be accessed by
you (nor could they ever have been accessed by anyone else on the computer.)

That's where exporting the key comes in.

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316

You also want to know that you might have to change other things when using
EFS in order to secure it more fully.

Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articl...rity_Plan.html

What is EFS? How can I use it to protect my files and folders?
http://www.petri.co.il/what's_efs.htm

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


  #3  
Old October 4th 08, 01:49 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Help with EFS

From: "h128"

| Hello
| (Apologies for crosspost, I do not know where to post it. Searched
| something similar without result.)

| I'm new to EFS.

| I would understand how to use it and to expect from it. I have read many
| sites and many theory but not much I have found in practice.

| I have done the following things.

| I have crypted some files using the property tab of a directory.

| After, I have exported the private key in a separate file. I have set
| the flag delete if successful export, and it told me something like "you
| can not anymore delete or decrypt..."
| I am confused now, because I CAN STILL open and do everything with these
| files. So, what is the point of exporting and deleting the key???

| Maybe it has still it somewhere, I thought...

| So, I went in the same snap in console and I deleted under certificates-
| personal the entry with my account name, and under reliable accounts I
| did same thing.

| After this, I CAN STILL open and do everything with these encrypted files.

| So, I changed the admin password and (obviously)... after this, I CAN
| STILL open and do everything with these encrypted files!

| I do not understand what to do to render unusable these files without
| the little key file I have removed from PC (everyone says put in floppy
| - no floppy from years ago here - and keep safe, ok but what is this? if
| i still access the files)

| If someone steal the hard disk and reset the admin password with some
| utilities, he can still read these files? EFS work only if the disk is
| put in another PC as slave?

| Please help or address to a pratical tutorial...
| Thx


A EFS certificate in in your personal Certificate Store. As long as that cert. is still
in your store thaan you can decrypt the files. If you delete the EFS cert. from the
store, your files are lost. That why you backup the cert. If the cert. is deleted from
your personal cert. store you can restore the cert. and decrypt the files again.

BTW: The news group needed and you didn't find is; microsoft.public.security.crypto

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #4  
Old October 4th 08, 02:09 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
h128
external usenet poster
 
Posts: 12
Default Help with EFS

Shenan Stanley wrote:
h128 wrote:
Hello
(Apologies for crosspost, I do not know where to post it. Searched
something similar without result.)

I'm new to EFS.

I would understand how to use it and to expect from it. I have read
many sites and many theory but not much I have found in practice.

I have done the following things.

I have crypted some files using the property tab of a directory.

After, I have exported the private key in a separate file. I have
set the flag delete if successful export, and it told me something like
"you can not anymore delete or decrypt..."
I am confused now, because I CAN STILL open and do everything with
these files. So, what is the point of exporting and deleting the
key???
Maybe it has still it somewhere, I thought...

So, I went in the same snap in console and I deleted under
certificates- personal the entry with my account name, and under
reliable accounts I did same thing.

After this, I CAN STILL open and do everything with these encrypted
files.
So, I changed the admin password and (obviously)... after this, I
CAN STILL open and do everything with these encrypted files!

I do not understand what to do to render unusable these files
without the little key file I have removed from PC (everyone says put in
floppy - no floppy from years ago here - and keep safe, ok but what
is this? if i still access the files)

If someone steal the hard disk and reset the admin password with
some utilities, he can still read these files? EFS work only if the
disk is put in another PC as slave?

Please help or address to a pratical tutorial...



Yes.
You can access them with your account without any input. Silently..

However - if someone changes your password using a method other than logging
in with your current password and changing it as you (say someone with
administrative rights resets it) - then those files cannot be accessed by
you (nor could they ever have been accessed by anyone else on the computer.)

That's where exporting the key comes in.

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316

You also want to know that you might have to change other things when using
EFS in order to secure it more fully.

Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articl...rity_Plan.html

What is EFS? How can I use it to protect my files and folders?
http://www.petri.co.il/what's_efs.htm


Thank you very much for your answer.

I was experimenting EFS in an expendable WinXP PC, my real problem is a
server where an SQL Server resides.

It seems the sole mode to secure database files is encrypting the whole
file system (apart crypt any single column of any table...), otherwise
it is possible to copy them in another SQL Server installation (reading
customers and credit cards and so on, it is the usual eshop site...), so
EFS jumped in.

I was worried a physical access to the machine could compromise privacy,
like resetting administrator password from outside after grabbing the
hard disk.

Do you think there are further details for my specific problem, or the
info and links you provided is enough and cover any use of the encryption?
  #5  
Old October 4th 08, 02:11 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
h128
external usenet poster
 
Posts: 12
Default Help with EFS

David H. Lipman wrote:

BTW: The news group needed and you didn't find is; microsoft.public.security.crypto


Thank you I will search it, it is years I do not enter in Usenet.
  #6  
Old October 4th 08, 11:19 PM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
Patrick Keenan
external usenet poster
 
Posts: 4,415
Default Help with EFS

"h128" wrote in message
. ..
Shenan Stanley wrote:
h128 wrote:
Hello
(Apologies for crosspost, I do not know where to post it. Searched
something similar without result.)

I'm new to EFS.

I would understand how to use it and to expect from it. I have read
many sites and many theory but not much I have found in practice.

I have done the following things.

I have crypted some files using the property tab of a directory.

After, I have exported the private key in a separate file. I have
set the flag delete if successful export, and it told me something like
"you can not anymore delete or decrypt..."
I am confused now, because I CAN STILL open and do everything with
these files. So, what is the point of exporting and deleting the
key???
Maybe it has still it somewhere, I thought...

So, I went in the same snap in console and I deleted under
certificates- personal the entry with my account name, and under
reliable accounts I did same thing.

After this, I CAN STILL open and do everything with these encrypted
files.
So, I changed the admin password and (obviously)... after this, I
CAN STILL open and do everything with these encrypted files!



Yes. And at that point, it'd be a good idea to update the exported
credential disk.

However, if you now create another Admin level account and change the
password of that original account from there, you will find that you no
longer have decrypt access, until you re-import the credentials.

The same will happen if you boot with a Linux password-reset tool and change
it that way.



I do not understand what to do to render unusable these files
without the little key file I have removed from PC (everyone says put in
floppy - no floppy from years ago here - and keep safe, ok but what
is this? if i still access the files)

If someone steal the hard disk and reset the admin password with
some utilities, he can still read these files?


No. In that case, they'll see the files, but only in encrypted format.

Since you have a test system, which is great, you can show this to yourself.
Easy to do with a $25 USB2 drive adapter.

EFS work only if the
disk is put in another PC as slave?


EFS will allow decrypt access *if* you enter the account via a normal logon.
If the password was reset from outside, decrypt is lost until the
credentials are re-imported.


Please help or address to a pratical tutorial...



Yes.
You can access them with your account without any input. Silently..

However - if someone changes your password using a method other than
logging in with your current password and changing it as you (say someone
with administrative rights resets it) - then those files cannot be
accessed by you (nor could they ever have been accessed by anyone else on
the computer.)

That's where exporting the key comes in.

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316

You also want to know that you might have to change other things when
using
EFS in order to secure it more fully.

Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articl...rity_Plan.html

What is EFS? How can I use it to protect my files and folders?
http://www.petri.co.il/what's_efs.htm


Thank you very much for your answer.

I was experimenting EFS in an expendable WinXP PC, my real problem is a
server where an SQL Server resides.


I'd like to say it's great to hear that you are trying this out for yourself
on an expendable system rather than on real data.

It seems the sole mode to secure database files is encrypting the whole
file system (apart crypt any single column of any table...), otherwise it
is possible to copy them in another SQL Server installation


You probably want to see this happen yourself. Log onto your test machine
and copy some encrypted data to a folder on another system, or even a disk.
You'll likely find that the copy is not encrypted because you have the
correct credentials.

Then, reverse the process - try connecting to the test system by way of
another system - just browse the network, find the encrypted file, and copy
it. Compare your results.


(reading customers and credit cards and so on, it is the usual eshop
site...),


This may mean that there are legal requirements you must meet regarding data
protection. You need to investigate this.

so EFS jumped in.

I was worried a physical access to the machine could compromise privacy,


You are right to. Physical access definitely compromises privacy. If
someone can sit at the keyboard, the data is vulnerable.

like resetting administrator password from outside after grabbing the
hard disk.


That's actually "safer" than having an unauthorised person sitting at the
keyboard. And it's also part of why you need to be sure you have really
good backups.

This is one of the key features - and problems - with EFS. If the password
is changed from outside the account, the credentials are invalidated and at
that moment decrypt access to encrypted data is permanently lost, UNLESS the
original account credentials are re-imported. Restoring the original
password won't fix it. You need the credentials.

This becomes a problem is when a Windows reinstall is done, which disrupts
the credentials, and the user didn't export the originals.

For you, it would also be a problem if that were your only copy of the data,
or if the backups required the original credentials and you no longer have
them.

If you've stored them on the same hard disk in an unencrypted area, they are
available to everybody. If you stored them in an encrypted area, nobody
gets them. They should be on an external disk in a very secure location,
with regular refreshes. One copy only is not really a great idea.

As to floppies - yes, XP wants to export to floppies, get a $20 external USB
floppy drive. It's a handy tool to have around.

Do you think there are further details for my specific problem, or the
info and links you provided is enough and cover any use of the encryption?


You need to continue to test so you understand what's happening, and examine
privacy legislation in your area to see what is legally required and what
other companies do to comply with it. You also need to deal with the
physical access issue, as well as secure and current backups. Be sure
you can restore them to another system.

EFS offers strong encryption that is easy to use and can help you, but you
also need to understand its limitations adnd implications and how they can
hurt you.

HTH
-pk


  #7  
Old October 4th 08, 11:33 PM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Help with EFS

From: "Patrick Keenan"

| "h128" wrote in message
| . ..
Shenan Stanley wrote:
h128 wrote:
Hello
(Apologies for crosspost, I do not know where to post it. Searched
something similar without result.)


I'm new to EFS.


I would understand how to use it and to expect from it. I have read
many sites and many theory but not much I have found in practice.


I have done the following things.


I have crypted some files using the property tab of a directory.


After, I have exported the private key in a separate file. I have
set the flag delete if successful export, and it told me something like
"you can not anymore delete or decrypt..."
I am confused now, because I CAN STILL open and do everything with
these files. So, what is the point of exporting and deleting the
key???
Maybe it has still it somewhere, I thought...


So, I went in the same snap in console and I deleted under
certificates- personal the entry with my account name, and under
reliable accounts I did same thing.


After this, I CAN STILL open and do everything with these encrypted
files.
So, I changed the admin password and (obviously)... after this, I
CAN STILL open and do everything with these encrypted files!



| Yes. And at that point, it'd be a good idea to update the exported
| credential disk.

| However, if you now create another Admin level account and change the
| password of that original account from there, you will find that you no
| longer have decrypt access, until you re-import the credentials.

| The same will happen if you boot with a Linux password-reset tool and change
| it that way.



I do not understand what to do to render unusable these files
without the little key file I have removed from PC (everyone says put in
floppy - no floppy from years ago here - and keep safe, ok but what
is this? if i still access the files)


If someone steal the hard disk and reset the admin password with
some utilities, he can still read these files?


| No. In that case, they'll see the files, but only in encrypted format.

| Since you have a test system, which is great, you can show this to yourself.
| Easy to do with a $25 USB2 drive adapter.

EFS work only if the
disk is put in another PC as slave?


| EFS will allow decrypt access *if* you enter the account via a normal logon.
| If the password was reset from outside, decrypt is lost until the
| credentials are re-imported.


Please help or address to a pratical tutorial...



Yes.
You can access them with your account without any input. Silently..


However - if someone changes your password using a method other than
logging in with your current password and changing it as you (say someone
with administrative rights resets it) - then those files cannot be
accessed by you (nor could they ever have been accessed by anyone else on
the computer.)


That's where exporting the key comes in.


Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316


You also want to know that you might have to change other things when
using
EFS in order to secure it more fully.


Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articl..._Security_Plan.
html


What is EFS? How can I use it to protect my files and folders?
http://www.petri.co.il/what's_efs.htm



Thank you very much for your answer.


I was experimenting EFS in an expendable WinXP PC, my real problem is a
server where an SQL Server resides.


| I'd like to say it's great to hear that you are trying this out for yourself
| on an expendable system rather than on real data.

It seems the sole mode to secure database files is encrypting the whole
file system (apart crypt any single column of any table...), otherwise it
is possible to copy them in another SQL Server installation


| You probably want to see this happen yourself. Log onto your test machine
| and copy some encrypted data to a folder on another system, or even a disk.
| You'll likely find that the copy is not encrypted because you have the
| correct credentials.

| Then, reverse the process - try connecting to the test system by way of
| another system - just browse the network, find the encrypted file, and copy
| it. Compare your results.


(reading customers and credit cards and so on, it is the usual eshop
site...),


| This may mean that there are legal requirements you must meet regarding data
| protection. You need to investigate this.

so EFS jumped in.


I was worried a physical access to the machine could compromise privacy,


| You are right to. Physical access definitely compromises privacy. If
| someone can sit at the keyboard, the data is vulnerable.

like resetting administrator password from outside after grabbing the
hard disk.


| That's actually "safer" than having an unauthorised person sitting at the
| keyboard. And it's also part of why you need to be sure you have really
| good backups.

| This is one of the key features - and problems - with EFS. If the password
| is changed from outside the account, the credentials are invalidated and at
| that moment decrypt access to encrypted data is permanently lost, UNLESS the
| original account credentials are re-imported. Restoring the original
| password won't fix it. You need the credentials.

| This becomes a problem is when a Windows reinstall is done, which disrupts
| the credentials, and the user didn't export the originals.

| For you, it would also be a problem if that were your only copy of the data,
| or if the backups required the original credentials and you no longer have
| them.

| If you've stored them on the same hard disk in an unencrypted area, they are
| available to everybody. If you stored them in an encrypted area, nobody
| gets them. They should be on an external disk in a very secure location,
| with regular refreshes. One copy only is not really a great idea.

| As to floppies - yes, XP wants to export to floppies, get a $20 external USB
| floppy drive. It's a handy tool to have around.

Do you think there are further details for my specific problem, or the
info and links you provided is enough and cover any use of the encryption?


| You need to continue to test so you understand what's happening, and examine
| privacy legislation in your area to see what is legally required and what
| other companies do to comply with it. You also need to deal with the
| physical access issue, as well as secure and current backups. Be sure
| you can restore them to another system.

| EFS offers strong encryption that is easy to use and can help you, but you
| also need to understand its limitations adnd implications and how they can
| hurt you.

| HTH
| -pk



EFS is NOT dependent upon the account password.
EFS is dependent upon a OS (or Domain) generated EFS Certificate that is stored in the
Personal Certificate Store.

Example:
I logon to this PC as "lipman" and I have captured a picture of the view of my Personal
Certificate Store showing the OS generated EFS certificate
{ Note: I removed my Smart Card certs from my personal store first :-) }

You will note this the gernerated certificate has a life span of ~100 years. A life
expectancy to outlast the encrypted data and as long as this cert. stays in my personal
store I can decrypt the encrypted files.

NOTE: Files and folders that are encrypted will show in GREEN colour in Explorer views.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp





  #8  
Old October 5th 08, 01:31 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
John John (MVP)
external usenet poster
 
Posts: 2,010
Default Help with EFS

David H. Lipman wrote:

From: "Patrick Keenan"

| "h128" wrote in message
| . ..

Shenan Stanley wrote:

h128 wrote:

Hello
(Apologies for crosspost, I do not know where to post it. Searched
something similar without result.)



I'm new to EFS.



I would understand how to use it and to expect from it. I have read
many sites and many theory but not much I have found in practice.



I have done the following things.



I have crypted some files using the property tab of a directory.



After, I have exported the private key in a separate file. I have
set the flag delete if successful export, and it told me something like
"you can not anymore delete or decrypt..."
I am confused now, because I CAN STILL open and do everything with
these files. So, what is the point of exporting and deleting the
key???
Maybe it has still it somewhere, I thought...



So, I went in the same snap in console and I deleted under
certificates- personal the entry with my account name, and under
reliable accounts I did same thing.



After this, I CAN STILL open and do everything with these encrypted
files.
So, I changed the admin password and (obviously)... after this, I
CAN STILL open and do everything with these encrypted files!




| Yes. And at that point, it'd be a good idea to update the exported
| credential disk.

| However, if you now create another Admin level account and change the
| password of that original account from there, you will find that you no
| longer have decrypt access, until you re-import the credentials.

| The same will happen if you boot with a Linux password-reset tool and change
| it that way.




I do not understand what to do to render unusable these files
without the little key file I have removed from PC (everyone says put in
floppy - no floppy from years ago here - and keep safe, ok but what
is this? if i still access the files)



If someone steal the hard disk and reset the admin password with
some utilities, he can still read these files?



| No. In that case, they'll see the files, but only in encrypted format.

| Since you have a test system, which is great, you can show this to yourself.
| Easy to do with a $25 USB2 drive adapter.


EFS work only if the
disk is put in another PC as slave?



| EFS will allow decrypt access *if* you enter the account via a normal logon.
| If the password was reset from outside, decrypt is lost until the
| credentials are re-imported.



Please help or address to a pratical tutorial...




Yes.
You can access them with your account without any input. Silently..



However - if someone changes your password using a method other than
logging in with your current password and changing it as you (say someone
with administrative rights resets it) - then those files cannot be
accessed by you (nor could they ever have been accessed by anyone else on
the computer.)



That's where exporting the key comes in.



Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316



You also want to know that you might have to change other things when
using
EFS in order to secure it more fully.



Where Does EFS Fit into your Security Plan?
http://www.windowsecurity.com/articl..._Security_Plan.
html



What is EFS? How can I use it to protect my files and folders?
http://www.petri.co.il/what's_efs.htm




Thank you very much for your answer.



I was experimenting EFS in an expendable WinXP PC, my real problem is a
server where an SQL Server resides.



| I'd like to say it's great to hear that you are trying this out for yourself
| on an expendable system rather than on real data.


It seems the sole mode to secure database files is encrypting the whole
file system (apart crypt any single column of any table...), otherwise it
is possible to copy them in another SQL Server installation



| You probably want to see this happen yourself. Log onto your test machine
| and copy some encrypted data to a folder on another system, or even a disk.
| You'll likely find that the copy is not encrypted because you have the
| correct credentials.

| Then, reverse the process - try connecting to the test system by way of
| another system - just browse the network, find the encrypted file, and copy
| it. Compare your results.



(reading customers and credit cards and so on, it is the usual eshop
site...),



| This may mean that there are legal requirements you must meet regarding data
| protection. You need to investigate this.


so EFS jumped in.



I was worried a physical access to the machine could compromise privacy,



| You are right to. Physical access definitely compromises privacy. If
| someone can sit at the keyboard, the data is vulnerable.


like resetting administrator password from outside after grabbing the
hard disk.



| That's actually "safer" than having an unauthorised person sitting at the
| keyboard. And it's also part of why you need to be sure you have really
| good backups.

| This is one of the key features - and problems - with EFS. If the password
| is changed from outside the account, the credentials are invalidated and at
| that moment decrypt access to encrypted data is permanently lost, UNLESS the
| original account credentials are re-imported. Restoring the original
| password won't fix it. You need the credentials.

| This becomes a problem is when a Windows reinstall is done, which disrupts
| the credentials, and the user didn't export the originals.

| For you, it would also be a problem if that were your only copy of the data,
| or if the backups required the original credentials and you no longer have
| them.

| If you've stored them on the same hard disk in an unencrypted area, they are
| available to everybody. If you stored them in an encrypted area, nobody
| gets them. They should be on an external disk in a very secure location,
| with regular refreshes. One copy only is not really a great idea.

| As to floppies - yes, XP wants to export to floppies, get a $20 external USB
| floppy drive. It's a handy tool to have around.


Do you think there are further details for my specific problem, or the
info and links you provided is enough and cover any use of the encryption?



| You need to continue to test so you understand what's happening, and examine
| privacy legislation in your area to see what is legally required and what
| other companies do to comply with it. You also need to deal with the
| physical access issue, as well as secure and current backups. Be sure
| you can restore them to another system.

| EFS offers strong encryption that is easy to use and can help you, but you
| also need to understand its limitations adnd implications and how they can
| hurt you.

| HTH
| -pk



EFS is NOT dependent upon the account password.
EFS is dependent upon a OS (or Domain) generated EFS Certificate that is stored in the
Personal Certificate Store.

Example:
I logon to this PC as "lipman" and I have captured a picture of the view of my Personal
Certificate Store showing the OS generated EFS certificate
{ Note: I removed my Smart Card certs from my personal store first :-) }

You will note this the gernerated certificate has a life span of ~100 years. A life
expectancy to outlast the encrypted data and as long as this cert. stays in my personal
store I can decrypt the encrypted files.

NOTE: Files and folders that are encrypted will show in GREEN colour in Explorer views.


I think that if you were to change your password with a third party
utiliy like Petter Nordahl's Offline Registry Editor you might find your
certificate to be invalid.

John
  #9  
Old October 5th 08, 01:52 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Help with EFS

From: "John John (MVP)"

| I think that if you were to change your password with a third party
| utiliy like Petter Nordahl's Offline Registry Editor you might find your
| certificate to be invalid.

| John

I'd like to see that tested as the EFS concept is not based upon the password. Only the
account SID and the EFS certificate.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #10  
Old October 5th 08, 02:14 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
Shenan Stanley
external usenet poster
 
Posts: 10,523
Default Help with EFS

snip

John John (MVP) wrote:
I think that if you were to change your password with a third party
utiliy like Petter Nordahl's Offline Registry Editor you might
find your certificate to be invalid.


David H. Lipman wrote:
I'd like to see that tested as the EFS concept is not based upon
the password. Only the account SID and the EFS certificate.


This article:
http://support.microsoft.com/kb/290260

.... seems to point to the fact that forcefully changing the users password
through means other than doing it *as the user* may cause issues with EFS...

Specifically:

"After you reset the password of an account on a Windows XP-based computer
that is joined to a workgroup, you may lose access to the user's:

• Web page credentials.
• File share credentials.
• EFS-encrypted files.
• Certificates with private keys (SIGNED/ENCRYPTed e-mail)."

AND

"Recovering Access to Encrypted EFS Data

If you have encrypted some of your files by using the Encrypting File System
(EFS), you have additional options to recover access to those encrypted
files. The following provisions apply only to EFS encrypted files, and will
not recover access to saved credentials or certificates.

If you have previously exported the user's EFS private key from the user's
account, you may import the key back into the account and recover access to
the encrypted files.

If you did not export the private key and you have defined a Data Recovery
Agent (DRA) prior to encrypting the files, you may regain access to EFS
files as the Data Recovery Agent. For additional information about how to
recover data in this case, click the article number below to view the
article in the Microsoft Knowledge Base:
255742 ( http://support.microsoft.com/kb/255742/EN-US/ ) Methods for
Recovering Encrypted Data Files
If you do not have the required items or information specified for the
preceding recovery solutions, the data is permanently encrypted, and cannot
be recovered."


Not that I wouldn't mind seeing it tested, camtasia'd and put on the web for
me to see. ;-)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


  #11  
Old October 5th 08, 02:29 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
John John (MVP)
external usenet poster
 
Posts: 2,010
Default Help with EFS

David H. Lipman wrote:

From: "John John (MVP)"

| I think that if you were to change your password with a third party
| utiliy like Petter Nordahl's Offline Registry Editor you might find your
| certificate to be invalid.

| John

I'd like to see that tested as the EFS concept is not based upon the password. Only the
account SID and the EFS certificate.


Petter mentions it he http://home.eunet.no/~pnordahl/ntpasswd/faq.html

Also note the following from Microsoft's Technet:

Master Key Loss and Data Recovery

If a logon password is forgotten or if an administrator resets a user
password, the user’s master keys become inaccessible. Because the
decryption key is derived from the user’s password, the system is unable
to decrypt the master keys. Without the master keys, EFS-encrypted files
are also inaccessible to the user and can be recovered only by a data
recovery agent, if one has been configured, or through the use of a
password reset disk (PRD), if one has been created. For more
information, see article 290260, “EFS, Credentials, and Private Keys
from Certificates Are Unavailable After a Password Is Reset,” in the
Microsoft Knowledge Base at http://support.microsoft.com.

http://technet.microsoft.com/en-us/l.../bb457116.aspx

EFS, Credentials, and Private Keys from Certificates Are Unavailable
After a Password Is Reset
http://support.microsoft.com/kb/290260

John
  #12  
Old October 5th 08, 02:41 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Help with EFS

From: "Shenan Stanley"

| snip

| John John (MVP) wrote:
I think that if you were to change your password with a third party
utiliy like Petter Nordahl's Offline Registry Editor you might
find your certificate to be invalid.


| David H. Lipman wrote:
I'd like to see that tested as the EFS concept is not based upon
the password. Only the account SID and the EFS certificate.


| This article:
| http://support.microsoft.com/kb/290260

| ... seems to point to the fact that forcefully changing the users password
| through means other than doing it *as the user* may cause issues with EFS...

| Specifically:

| "After you reset the password of an account on a Windows XP-based computer
| that is joined to a workgroup, you may lose access to the user's:

| • Web page credentials.
| • File share credentials.
| • EFS-encrypted files.
| • Certificates with private keys (SIGNED/ENCRYPTed e-mail)."

| AND

| "Recovering Access to Encrypted EFS Data

| If you have encrypted some of your files by using the Encrypting File System
| (EFS), you have additional options to recover access to those encrypted
| files. The following provisions apply only to EFS encrypted files, and will
| not recover access to saved credentials or certificates.

| If you have previously exported the user's EFS private key from the user's
| account, you may import the key back into the account and recover access to
| the encrypted files.

| If you did not export the private key and you have defined a Data Recovery
| Agent (DRA) prior to encrypting the files, you may regain access to EFS
| files as the Data Recovery Agent. For additional information about how to
| recover data in this case, click the article number below to view the
| article in the Microsoft Knowledge Base:
| 255742 ( http://support.microsoft.com/kb/255742/EN-US/ ) Methods for
| Recovering Encrypted Data Files
| If you do not have the required items or information specified for the
| preceding recovery solutions, the data is permanently encrypted, and cannot
| be recovered."


| Not that I wouldn't mind seeing it tested, camtasia'd and put on the web for
| me to see. ;-)

| --
| Shenan Stanley
| MS-MVP
| --
| How To Ask Questions The Smart Way
| http://www.catb.org/~esr/faqs/smart-questions.html



I think the statement...

"After you reset the password of an account on a Windows XP-based computer
that is joined to a workgroup, you may lose access to the user's:

• Web page credentials.
• File share credentials.
• EFS-encrypted files.
• Certificates with private keys (SIGNED/ENCRYPTed e-mail)."

concerns the SID.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #13  
Old October 5th 08, 02:46 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Help with EFS

From: "John John (MVP)"

| David H. Lipman wrote:

From: "John John (MVP)"


| I think that if you were to change your password with a third party
| utiliy like Petter Nordahl's Offline Registry Editor you might find your
| certificate to be invalid.


| John


I'd like to see that tested as the EFS concept is not based upon the password. Only
the
account SID and the EFS certificate.


| Petter mentions it he http://home.eunet.no/~pnordahl/ntpasswd/faq.html

| Also note the following from Microsoft's Technet:

| Master Key Loss and Data Recovery

| If a logon password is forgotten or if an administrator resets a user
| password, the user’s master keys become inaccessible. Because the
| decryption key is derived from the user’s password, the system is unable
| to decrypt the master keys. Without the master keys, EFS-encrypted files
| are also inaccessible to the user and can be recovered only by a data
| recovery agent, if one has been configured, or through the use of a
| password reset disk (PRD), if one has been created. For more
| information, see article 290260, “EFS, Credentials, and Private Keys
| from Certificates Are Unavailable After a Password Is Reset,” in the
| Microsoft Knowledge Base at http://support.microsoft.com.

| http://technet.microsoft.com/en-us/l.../bb457116.aspx

| EFS, Credentials, and Private Keys from Certificates Are Unavailable
| After a Password Is Reset
| http://support.microsoft.com/kb/290260

| John

OK. That's interesting and I'll make note of that to test it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #14  
Old October 5th 08, 03:18 AM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Help with EFS

From: "John John (MVP)"

OK -- I concede, I was mistaken.

This is an important point in the light of EFS being a DAR complaint solution.

If a malicious actor steals a notebook that has data encrypted using EFS, the actor will
be unable to decrypt the data even if the password to the account has been cracked.

This is different in the situation of cryptographic logons where account names and
passwords are not used, a Smart Card is used for account authentication. In thta scenario
the malicious actor would need physical access to the Smart Card and have to know the PIN.

** My apologies go to Patrick Keenan for injecting faux information into the thread.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #15  
Old October 5th 08, 06:31 PM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.windowsxp.security_admin
sandy58[_3_]
external usenet poster
 
Posts: 424
Default Help with EFS

On Oct 4, 12:57*am, h128 wrote:
Hello
(Apologies for crosspost, I do not know where to post it. Searched
something similar without result.)

I'm new to EFS.

I would understand how to use it and to expect from it. I have read many
sites and many theory but not much I have found in practice.

I have done the following things.

I have crypted some files using the property tab of a directory.

After, I have exported the private key in a separate file. I have set
the flag delete if successful export, and it told me something like "you
can not anymore delete or decrypt..."
I am confused now, because I CAN STILL open and do everything with these
files. So, what is the point of exporting and deleting the key???

Maybe it has still it somewhere, I thought...

So, I went in the same snap in console and I deleted under certificates-
personal the entry with my account name, and under reliable accounts I
did same thing.

After this, I CAN STILL open and do everything with these encrypted files..

So, I changed the admin password and (obviously)... after this, I CAN
STILL open and do everything with these encrypted files!

I do not understand what to do to render unusable these files without
the little key file I have removed from PC (everyone says put in floppy
- no floppy from years ago here - and keep safe, ok but what is this? if
i still access the files)

If someone steal the hard disk and reset the admin password with some
utilities, he can still read these files? EFS work only if the disk is
put in another PC as slave?

Please help or address to a pratical tutorial...
Thx


http://www.microsoft.com/technet/sec..._data_efs.mspx
Hope this helps, h128.
Good luck
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 10:28 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.