EFS and System Cryptography Group Policy - Windows XP SP2

I am trying to secure a standalone laptop computer that contains sensitive
data. Some information in the Resourse Kit and Knowledge Base has me
confused.

In Chapter 17 of the Windows XP resourse kit it states quote

"You can strengthen security by replacing the default DESX algorithm with
3DES. In a stand-alone environment, enabling 3DES is recommended."

In a knowledge base article quote

"Encrypting File System (EFS) is also affected by this setting. By default,
Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit
key length. If the Windows high encryption pack is installed, the key length
for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows
XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS
uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key
length. However, if you enable the System cryptography: Use FIPS compliant
algorithms for encryption, hashing, and signing setting on these computers,
the operating system will use 3DES with a 128-bit key length instead."

So am I reducing the level of security by enabling the group policy on an XP
SP2 computer or increasing it?



(http://www.microsoft.com/resources/d...b_efs_awzg.asp)

http://support.microsoft.com/kb/811833

Brent wrote:

I am trying to secure a standalone laptop computer that contains sensitive
data. Some information in the Resourse Kit and Knowledge Base has me
confused.

(snip)
Hi

Not exactly a direct answer to your question, but anyway:

If the data is sensitive, you should absolutely encrypt the data, but I
would not have used Microsoft's builtin EFS, EFS is usually a disaster
just waiting to happen. Some calls EFS the "delayed Recycle Bin" ;-)

Some 3rd party alternatives to EFS if you really want to secure the
laptop:

SafeGuard Easy or SafeGuard PrivateDisk
http://www.utimaco.com/indexmain.html

(we are using their "SafeGuard Easy" product to encrypt all of the
local hard disk on all laptops, and we are very satisfied with the
product).

The BestCrypt product found at http://www.jetico.com/ also looks
interesting.

Just be sure to export any encryption keys and safe them on a safe
place (outside the computer).



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

AES is more secure; so you would be reducing security by enabling 3DES. Be
sure to back up your EFS certificate/key on the XPSP2 with "cipher /x" to a
floppy and store it in a secure place. If your OS is re-installed or
corrupted but your data is intact, you can still access your encrypted files
with this .pfx file. Just run the .pfx file to import the certificate/key to
your Personal certificates store.

Thanks.
Pat

"Brent" wrote:

I am trying to secure a standalone laptop computer that contains sensitive
data. Some information in the Resourse Kit and Knowledge Base has me
confused.

In Chapter 17 of the Windows XP resourse kit it states quote

"You can strengthen security by replacing the default DESX algorithm with
3DES. In a stand-alone environment, enabling 3DES is recommended."

In a knowledge base article quote

"Encrypting File System (EFS) is also affected by this setting. By default,
Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit
key length. If the Windows high encryption pack is installed, the key length
for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows
XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS
uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key
length. However, if you enable the System cryptography: Use FIPS compliant
algorithms for encryption, hashing, and signing setting on these computers,
the operating system will use 3DES with a 128-bit key length instead."

So am I reducing the level of security by enabling the group policy on an XP
SP2 computer or increasing it?



(http://www.microsoft.com/resources/d...b_efs_awzg.asp)

http://support.microsoft.com/kb/811833

"Pat Hoffer [MSFT]" ha scritto nel messaggio
...
AES is more secure; so you would be reducing security by enabling 3DES.


In Chapter 17 of the Windows XP resourse kit it states quote

"You can strengthen security by replacing the default DESX algorithm with
3DES. In a stand-alone environment, enabling 3DES is recommended."


Forgive me for being dull...but there's one thing I haven't yet understood:
Assuming a default installation of windows xp sp2, what type of criptography
is installed by default? 3DES or AES?

Thanks,
Stefano

WXP RTM uses DESX and WXP with SP1-up uses AES. The FIPS group policy option
was useful for increasing the encryption algorithm strength (to 3DES) for WXP
RTM; but the default AES in the WXP service packs is more secure. (WS2003
RTM shipped with AES.)

If a file was encrypted using DESX (before adding a service pack), EFS will
continue using DESX on that file (unless it is decrypted and re-encrypted).
All new files will be encrypted with AES.

Thanks.
Pat

"Stefano Ferrante" wrote:


"Pat Hoffer [MSFT]" ha scritto nel messaggio
...
AES is more secure; so you would be reducing security by enabling 3DES.


In Chapter 17 of the Windows XP resourse kit it states quote

"You can strengthen security by replacing the default DESX algorithm with
3DES. In a stand-alone environment, enabling 3DES is recommended."


Forgive me for being dull...but there's one thing I haven't yet understood:
Assuming a default installation of windows xp sp2, what type of criptography
is installed by default? 3DES or AES?

Thanks,
Stefano

I'm not doubting that the product works, but the Ultimaco web site is scary.
In 60 seconds of looking at it, I found two pages that don't display anything
using Mozilla (They display in Internet Explorer.), and one dead link.

Do you have any experience with PGP Disk?

I came to the same conclusion that you mentioned. EFS is not a sensible
choice, apparently. It ties your data to a Windows 2003 domain controller, or
to a single standalone computer, the computer on which the data was encrypted.

____________________________


Torgeir Bakken (MVP) wrote:
Brent wrote:

I am trying to secure a standalone laptop computer that contains
sensitive data. Some information in the Resourse Kit and Knowledge
Base has me confused.
(snip)

Hi

Not exactly a direct answer to your question, but anyway:

If the data is sensitive, you should absolutely encrypt the data, but I
would not have used Microsoft's builtin EFS, EFS is usually a disaster
just waiting to happen. Some calls EFS the "delayed Recycle Bin" ;-)

Some 3rd party alternatives to EFS if you really want to secure the
laptop:

SafeGuard Easy or SafeGuard PrivateDisk
http://www.utimaco.com/indexmain.html

(we are using their "SafeGuard Easy" product to encrypt all of the
local hard disk on all laptops, and we are very satisfied with the
product).

The BestCrypt product found at http://www.jetico.com/ also looks
interesting.

Just be sure to export any encryption keys and safe them on a safe
place (outside the computer).