EFS Questions

[Guest]

Hi there,

We have had a a few laptops stolen in the past few months and my boss has
asked me to use EFS on our laptops to encrypt the data in case any more get
stolen.

I have about a hundred clients that I want to get this implemented on but I
do not want the users to have to manual encrpt their folders/files
themselves. Is it possible to remotely get this set up? I'm not sure where
to go from here other than enabling the GPO and sending the users
instructions on how to encrypt their laptops.

Can anyone help me out with a possible solution or point me in the right
direction?

Thanks!!!!

 

[Kerry Brown]

EFS will not protect the laptops if the laptop is stolen and the keys for
the encryption are stored on the laptop. EFS wasn't really designed for
this. It was designed for use in a network environment to encrypt files on a
server. If you want EFS to work without the users installing a certificate
(key) every time they start the laptop then uninstalling it before shutting
down the certificate (key) is stored in the user profile. Programs exist to
scan the user profiles for the keys then to use them to decrypt the files.
For EFS to be secure the certificates can't be stored on the laptop. The
files can't be encrypted or decrypted without the certificates so it's a
catch-22. You need to look at different technologies. BitLocker in Vista is
one. I believe IBM has a solution for their laptops. There are also others.

 

[Guest]

Kerry,

Thank you very much for this valuable information! I guess we were
definitely barking up the wrong tree here. I will look into some of those
other solutions that you suggested.

Chris

 

[GreenieLeBrun]

Hi there,

We have had a a few laptops stolen in the past few months and my boss has
asked me to use EFS on our laptops to encrypt the data in case any more
get
stolen.

I have about a hundred clients that I want to get this implemented on but
I
do not want the users to have to manual encrpt their folders/files
themselves. Is it possible to remotely get this set up? I'm not sure
where
to go from here other than enabling the GPO and sending the users
instructions on how to encrypt their laptops.

Can anyone help me out with a possible solution or point me in the right
direction?

Thanks!!!!

The following links should answer most of your EFS questions.

The Encrypting File System
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/en-us

 

[Harry Johnston]

EFS will not protect the laptops if the laptop is stolen and the keys
for the encryption are stored on the laptop.

I thought the keys were themselves encrypted with the user's password? If this
isn't the case, why can't Windows decrypt files after administratively resetting
a password?

Harry.

 

[Vladimir Katalov]

I thought the keys were themselves encrypted with the user's password? If
this isn't the case, why can't Windows decrypt files after
administratively resetting a password?

You're correct, the keys are encrypted using SHA1 hash (4000 iterations
in Windows XP and Server 2003, 24000 in Vista) of user's password.

--
Sincerely yours,
Vladimir

Vladimir Katalov
CEO
ElcomSoft Co.Ltd.
mailto:[email protected]
http://www.elcomsoft.com