EPS

A

Andy

After having some laptops stolen we wish to add a layer of security to our
stand alone notebbooks which prevents the thief gaining access to the
harddrive partitions when they reinstall the OS or slave the drive
From reading around EFS is the answer.

Can anyone advise me if my theory is good

- We Encrypt all the folders on the PC.
- The folders remain workable to the user but if the computer is stolen
these folders cannot be accessed even if a new OS is installed.
- We need to back up the cerificate and keys for each folder we encrypt
just in case there is a problem later. To do this we Open the Certificates
snap-in and export them from their - however where/what is the
"certifcates snap in" ?! I cannot locate this in accessories or anywhere
else

I would apprecaite any feedback from any security experts on this matter.
 
G

Guest

You are right that EFS will protect the files from a malicious user who gains
access to the drive where the files are stored. The EFS certificate and key
are stored in the laptop user's profile directory and protected with a hash
of the user's password. (Encourage your users to use strong logon
passwords.) The thief would need both to access the certificate and key and
then the files.

Creating backups is very important. If for some reason the laptop user
loses access to the files, that user can regain access after importing the
certificate and key from a backup. If the laptops are under a domain policy
that has a recovery certificate and that policy has applied to the files, the
files can also be recovered using that recovery certificate and key.

General information about EFS and data recovery:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Information about EFS on Windows XP (This includes the exporting and
importing of certificates. You can get directly to the user's Certificates
store by running certmgr.msc and expanding the Personal node. You can also
get it by running mmc.exe, adding the Certificates snap-in for the current
user, and expanding the Personal node. EFS usually uses only one certificate
per user for encrypting all files; but if there are multiple EFS certificates
in the store, back up all to be safe.):
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c18621675.mspx

Thanks.
Pat
 
A

Andy

Pat Hoffer said:
You are right that EFS will protect the files from a malicious user who
gains
access to the drive where the files are stored. The EFS certificate and
key
are stored in the laptop user's profile directory and protected with a
hash
of the user's password. (Encourage your users to use strong logon
passwords.) The thief would need both to access the certificate and key
and
then the files.

Creating backups is very important. If for some reason the laptop user
loses access to the files, that user can regain access after importing the
certificate and key from a backup. If the laptops are under a domain
policy
that has a recovery certificate and that policy has applied to the files,
the
files can also be recovered using that recovery certificate and key.

General information about EFS and data recovery:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Information about EFS on Windows XP (This includes the exporting and
importing of certificates. You can get directly to the user's
Certificates
store by running certmgr.msc and expanding the Personal node. You can
also
get it by running mmc.exe, adding the Certificates snap-in for the current
user, and expanding the Personal node. EFS usually uses only one
certificate
per user for encrypting all files; but if there are multiple EFS
certificates
in the store, back up all to be safe.):
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c18621675.mspx

Thanks.
Pat
Click to expand...


Pat

Thanks for taking the time to reply

Couple of question you might know the answer to, if you dont mind

1) Is it not posssible to to the whole D:/. We currently only see to be
able to do folders.
2) If we do folders does this create a cerificate for each one?
3) If i email you a file from a EFS enabled PC would you not be able to open
it?. Thus if the users need to send a file to someone else they need to
save it out and remove the EFS first?.

I am trying to setup a notebooks so they are secure if lost, but remain
useable and hassle free to our staff
 
G

Guest

I'll answer using your numbers.

1) What you are seeing is correct. On Windows XP, EFS will encrypt only the
contents of a drive--not the drive's root folder. On Vista, EFS will encrypt
the root folder.

2) EFS encrypts with one certificate per user; so all the files and folders
encrypted for that user should have the same certificate thumbprint. You can
confirm that by opening a file's properties dialog and clicking Advanced >
Details to see the thumbprint of the certificate used to encrypt that file.

3) You cannot email a file in an encrypted state. The system will decrypt
the file (usually under the covers) when you attach it to an email.

Thanks.
Pat
 
A

Andy

Pat Hoffer said:
I'll answer using your numbers.

1) What you are seeing is correct. On Windows XP, EFS will encrypt only
the
contents of a drive--not the drive's root folder. On Vista, EFS will
encrypt
the root folder.

2) EFS encrypts with one certificate per user; so all the files and
folders
encrypted for that user should have the same certificate thumbprint. You
can
confirm that by opening a file's properties dialog and clicking Advanced >
Details to see the thumbprint of the certificate used to encrypt that
file.

3) You cannot email a file in an encrypted state. The system will decrypt
the file (usually under the covers) when you attach it to an email.

Thanks.
Pat
Click to expand...


Pat

Thank you for the information.

If we therefore upgrade our notebooks to vista i cannot see any reason why
we would not therefore encrypt both the C: and D: with EFS. I wonder
therefore why everyone does not do this.

Do you know of any specific forums for EFS discussion?. At the moment all I
can see is advantages there obviously must be disadvantages.
 
G

Guest

Is there any need to remove the certificates from the laptop or does that
render encryption/ decryption inoperative?

thank you
 
S

Shenan Stanley

Andy said:
If we therefore upgrade our notebooks to vista i cannot see any
reason why we would not therefore encrypt both the C: and D: with
EFS. I wonder therefore why everyone does not do this.

Do you know of any specific forums for EFS discussion?. At the
moment all I can see is advantages there obviously must be
disadvantages.
Click to expand...

Disadvantage: People/Users.

It is entirely feasible - in fact, it will happen - that a user will not
backup their certificate or won't connect to your domain or will disjoin the
domain on their own or someone will force the change of the users password
through non-conventional means and the data on said laptop will be lost to
everyone. The hard disk drive could go bad... certain files might be
corrupted - again making the data inaccessible to no one.

The weak link is the same as it always be - due diligence on the part of the
user.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

EFS Questions 5
Encrypting File System - offline? 1
EFS - Renew Certificates 1
Encrypting Folders: Which ones? 5
Encrypting Remote Files with EFS 4
Diff Encryption Certificates used by diff users in same AD domain. 6
Help with EFS 1
Test Driving EFS - couple questions 4

Top