If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
EFS and System Cryptography Group Policy - Windows XP SP2
I am trying to secure a standalone laptop computer that contains sensitive
data. Some information in the Resourse Kit and Knowledge Base has me confused. In Chapter 17 of the Windows XP resourse kit it states quote "You can strengthen security by replacing the default DESX algorithm with 3DES. In a stand-alone environment, enabling 3DES is recommended." In a knowledge base article quote "Encrypting File System (EFS) is also affected by this setting. By default, Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit key length. If the Windows high encryption pack is installed, the key length for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting on these computers, the operating system will use 3DES with a 128-bit key length instead." So am I reducing the level of security by enabling the group policy on an XP SP2 computer or increasing it? (http://www.microsoft.com/resources/d...b_efs_awzg.asp) http://support.microsoft.com/kb/811833 |
Ads |
#2
|
|||
|
|||
EFS and System Cryptography Group Policy - Windows XP SP2
Brent wrote:
I am trying to secure a standalone laptop computer that contains sensitive data. Some information in the Resourse Kit and Knowledge Base has me confused. (snip) Hi Not exactly a direct answer to your question, but anyway: If the data is sensitive, you should absolutely encrypt the data, but I would not have used Microsoft's builtin EFS, EFS is usually a disaster just waiting to happen. Some calls EFS the "delayed Recycle Bin" ;-) Some 3rd party alternatives to EFS if you really want to secure the laptop: SafeGuard Easy or SafeGuard PrivateDisk http://www.utimaco.com/indexmain.html (we are using their "SafeGuard Easy" product to encrypt all of the local hard disk on all laptops, and we are very satisfied with the product). The BestCrypt product found at http://www.jetico.com/ also looks interesting. Just be sure to export any encryption keys and safe them on a safe place (outside the computer). -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: http://www.microsoft.com/technet/scr...r/default.mspx |
#3
|
|||
|
|||
EFS and System Cryptography Group Policy - Windows XP SP2
AES is more secure; so you would be reducing security by enabling 3DES. Be
sure to back up your EFS certificate/key on the XPSP2 with "cipher /x" to a floppy and store it in a secure place. If your OS is re-installed or corrupted but your data is intact, you can still access your encrypted files with this .pfx file. Just run the .pfx file to import the certificate/key to your Personal certificates store. Thanks. Pat "Brent" wrote: I am trying to secure a standalone laptop computer that contains sensitive data. Some information in the Resourse Kit and Knowledge Base has me confused. In Chapter 17 of the Windows XP resourse kit it states quote "You can strengthen security by replacing the default DESX algorithm with 3DES. In a stand-alone environment, enabling 3DES is recommended." In a knowledge base article quote "Encrypting File System (EFS) is also affected by this setting. By default, Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit key length. If the Windows high encryption pack is installed, the key length for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting on these computers, the operating system will use 3DES with a 128-bit key length instead." So am I reducing the level of security by enabling the group policy on an XP SP2 computer or increasing it? (http://www.microsoft.com/resources/d...b_efs_awzg.asp) http://support.microsoft.com/kb/811833 |
#4
|
|||
|
|||
EFS and System Cryptography Group Policy - Windows XP SP2
"Pat Hoffer [MSFT]" ha scritto nel messaggio ... AES is more secure; so you would be reducing security by enabling 3DES. In Chapter 17 of the Windows XP resourse kit it states quote "You can strengthen security by replacing the default DESX algorithm with 3DES. In a stand-alone environment, enabling 3DES is recommended." Forgive me for being dull...but there's one thing I haven't yet understood: Assuming a default installation of windows xp sp2, what type of criptography is installed by default? 3DES or AES? Thanks, Stefano |
#5
|
|||
|
|||
EFS and System Cryptography Group Policy - Windows XP SP2
WXP RTM uses DESX and WXP with SP1-up uses AES. The FIPS group policy option
was useful for increasing the encryption algorithm strength (to 3DES) for WXP RTM; but the default AES in the WXP service packs is more secure. (WS2003 RTM shipped with AES.) If a file was encrypted using DESX (before adding a service pack), EFS will continue using DESX on that file (unless it is decrypted and re-encrypted). All new files will be encrypted with AES. Thanks. Pat "Stefano Ferrante" wrote: "Pat Hoffer [MSFT]" ha scritto nel messaggio ... AES is more secure; so you would be reducing security by enabling 3DES. In Chapter 17 of the Windows XP resourse kit it states quote "You can strengthen security by replacing the default DESX algorithm with 3DES. In a stand-alone environment, enabling 3DES is recommended." Forgive me for being dull...but there's one thing I haven't yet understood: Assuming a default installation of windows xp sp2, what type of criptography is installed by default? 3DES or AES? Thanks, Stefano |
#6
|
|||
|
|||
Do you have any experience with PGP Disk?
I'm not doubting that the product works, but the Ultimaco web site is scary.
In 60 seconds of looking at it, I found two pages that don't display anything using Mozilla (They display in Internet Explorer.), and one dead link. Do you have any experience with PGP Disk? I came to the same conclusion that you mentioned. EFS is not a sensible choice, apparently. It ties your data to a Windows 2003 domain controller, or to a single standalone computer, the computer on which the data was encrypted. ____________________________ Torgeir Bakken (MVP) wrote: Brent wrote: I am trying to secure a standalone laptop computer that contains sensitive data. Some information in the Resourse Kit and Knowledge Base has me confused. (snip) Hi Not exactly a direct answer to your question, but anyway: If the data is sensitive, you should absolutely encrypt the data, but I would not have used Microsoft's builtin EFS, EFS is usually a disaster just waiting to happen. Some calls EFS the "delayed Recycle Bin" ;-) Some 3rd party alternatives to EFS if you really want to secure the laptop: SafeGuard Easy or SafeGuard PrivateDisk http://www.utimaco.com/indexmain.html (we are using their "SafeGuard Easy" product to encrypt all of the local hard disk on all laptops, and we are very satisfied with the product). The BestCrypt product found at http://www.jetico.com/ also looks interesting. Just be sure to export any encryption keys and safe them on a safe place (outside the computer). |
Thread Tools | |
Display Modes | |
|
|