Windows Encryption - All too easy workaround?

A

AberTech

I have recently been looking into using the encryption tool in WinXP Pro for
added privacy/security. Then someone at work told me about a bootable CD
from winternals.com(?) called Super Acronis or Locksmith which allows you to
change the password for any user on that machine. A reboot later and you
can log on to that account - including Administrator with the new password.
As it is the account that your files were encrypted with, anyone who did
this would automatically be granted access to the encrypted files. They
even give you a 5 day working demo available for free!

On looking at this NG I can see recent posts 'Forgotton Logon password'
which also cover this.

If this is so easy to do, it made wonder if there is much point in using
Windows' encryption? Is the purchase of 3rd party software necessary to
ensure that files can be made secure/private?
 
C

Carey Frisch [MVP]

If someone were to changed the account password, the encrypted files
would remain encrypted and inaccessible. Windows XP creates a randomly
generated file encryption key (FEK) and then transparently encrypts the data,
using this FEK, as it is being written to disk. The FEK, and therefore the data
it encrypts, can be decrypted only with your certificate and its associated private key,
which are only available when you log on with your correct user name and password.
Other users who attempt to use your encrypted files receive an "access denied" message.
Even other administrators who have permission to take ownership of files are unable to
open your encrypted files.

Third-party tools could gain access to your computer, but not the encrypted files.

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/EN-US/

You could also set a BIOS password that would prevent someone
from making a change to the boot order. Always set your hard drive
as the first bootable device, and not the CD Drive or floppy drive.
Therefore no one could boot into your system using a CD or floppy
disk.

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

:

| I have recently been looking into using the encryption tool in WinXP Pro for
| added privacy/security. Then someone at work told me about a bootable CD
| from winternals.com(?) called Super Acronis or Locksmith which allows you to
| change the password for any user on that machine. A reboot later and you
| can log on to that account - including Administrator with the new password.
| As it is the account that your files were encrypted with, anyone who did
| this would automatically be granted access to the encrypted files. They
| even give you a 5 day working demo available for free!
|
| On looking at this NG I can see recent posts 'Forgotton Logon password'
| which also cover this.
|
| If this is so easy to do, it made wonder if there is much point in using
| Windows' encryption? Is the purchase of 3rd party software necessary to
| ensure that files can be made secure/private?
 
M

Malke

AberTech said:
I have recently been looking into using the encryption tool in WinXP
Pro for
added privacy/security. Then someone at work told me about a bootable
CD from winternals.com(?) called Super Acronis or Locksmith which
allows you to
change the password for any user on that machine. A reboot later and
you can log on to that account - including Administrator with the new
password. As it is the account that your files were encrypted with,
anyone who did
this would automatically be granted access to the encrypted files.
They even give you a 5 day working demo available for free!

On looking at this NG I can see recent posts 'Forgotton Logon
password' which also cover this.

If this is so easy to do, it made wonder if there is much point in
using
Windows' encryption? Is the purchase of 3rd party software necessary
to ensure that files can be made secure/private?
Click to expand...

The encryption for files is completely different from the ability to get
the password to get into Windows. Anyone with skill and time can get
into a computer, no matter what operating system is running. Again,
this is different from data encryption. Here are links to help you
understand XP's encryption:

http://tinyurl.com/6l6xx - MS information about EFS (Encryption)
http://www3.telus.net/dandemar/encrypt.htm - encryption info
http://www.beginningtoseethelight.org/efsrecovery/ - more encryption
info
http://www3.telus.net/dandemar/private.htm - making stuff private

If you use XP's encryption, please make very sure that you understand
completely how to use it and how to back up your certificates and set a
recovery agent.

Malke
 
A

Admiral Q

If the Windows password is not changed via the proper channels (i.e. booting
with some type of hacking software and brut force changing the password in
SAM) then any files encrypted by that logon (aka userid) will remain
encrypted and unusable.
Also note, the first rule of "security" is eliminating the "physical"
access - almost all security is off if "physical access" cannot be
eliminated.

--
Star Fleet Admiral Q @ your service!
"Google is your Friend!"
www.google.com

***********************************************
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

More than one encryption key: XP PRO not-networked 1
Encryption solution like this exist? 2
User Accounts, Encryption, and Busted Systems 3
problem with EFS encryption 1
Logon Password and XP file encryption 3
Best encryption application 2
Re: How to decrypt files without the EFS Certificate 4
Encryption Question 1

Top