how-to block ads
|
altermatt
Premium
join:2004-01-22
White Plains, NY
 ·Verizon Online DSL
| Windows EFS: huh?
Haved used PGP for ages and recently True Crypt. Just was helping out a newbie and he asked about encrypting some files in a folder, but didn't want a separate program, so I figured I'd try out the built in EFS (right click, encrypt). When I right clicked on the folder, it asked if I wanted to encrypt subdirectories and files, I said yes, and voila, it was encrypted.
Now I was nervous, as we hadn't set up a password or created a key or anything (which is what I was used to.) So I figured I'd try to decrypt and see what happened; I right-clicked, clicked decrypt, and poof, it was decrypted. HUH?
How is this safe? Windows Help says that this is protection against someone having PHYSICAL ACCESS to your files. HOW? If all he has to do is right click and decrypt (or, as I discovered, merely doubleclick the file), how is this protecting against someone with access?
I'm assuming that if the file were moved to, say, a USB key it couldn't be opened, or couldn't be opened from another user account on the computer, but the Help file specifically said it protected against someone who had physical access. They even distinguished it from XP Pro's permissions, saying that doesn't protect against someone logged in as you, but neither did this, it seems. So how is this protection?
Sorry if this is a clueless question, but again, I'm new to EFS.
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick | |
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
edit:
April 11th, @04:46PM
| The encryption protects the file system against someone who is not you. Once you have authenticated yourself to the OS, it trusts you to be you.
Do not walk away and leave your workstation unlocked, if you can't trust who might walk up to it. Don't allow login to your account without a password, if you can't trust who might walk up to the PC.
In short, account security is the foundation of all else.
You can argue it either way, but on the whole, Windows kernel people tend to avoid making the design assumption that there's someone sitting in the seat who can at all times tell the computer what to do.
>They even distinguished it from XP Pro's
>permissions, saying that doesn't protect against
>someone logged in as you, but neither did this,
>it seems.
That part I don't understand. Where are you quoting from? Permissions don't protect against other admins; this does. It doesn't protect against you, though. | |
altermatt
Premium
join:2004-01-22
White Plains, NY
·Verizon Online DSL
edit:
April 11th, @05:30PM
| said by dave  :Permissions don't protect against other admins; this does. It doesn't protect against you, though. That's exactly what I thought, hence my confusion when the Help file said it protects against someone having PHYSICAL ACCESS to your files, which I interpret as actually sitting down at your computer, all nice and logged on because you were lazy enough to leave it sitting there  . One confusing bit from the Help files (File Encryption Overview); bolding mine:
Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. If the intruder tries to open or copy your encrypted file or folder he receives an access denied message. Permissions on files and folders do not protect against unauthorized physical attacks. To me, this is misleading, but it may just be the way I read it. At any rate, it's probably moot as I don't use EFS, preferring PGP, AxCrypt, or TrueCrypt---and I'd never leave my computer logged on in an area where others would have access without a strong screensaver password, etc.
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick | |
ahulett
Equal Rights - It's Time
Premium
join:2003-02-02
Redmond, WA
| reply to altermatt
said by altermatt :Now I was nervous, as we hadn't set up a password or created a key or anything (which is what I was used to.) An EFS certificate is created and checked into the certificate store the first time anything is encrypted under a user account. If you open the Certificate Manager Snap-In (Start | Run | certmgr.msc) I believe you will find it under Personal Certificates listed as "Encrypting File System" in the Friendly Name column.
You can export this certificate so that if down the road the user account becomes lost/corrupt/etc you can import the certificate to another account and access files encrypted by it.
Hope this helps,
Aaron
--
Aaron Hulett | Senior Spyware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights. | |
altermatt
Premium
join:2004-01-22
White Plains, NY
·Verizon Online DSL
| Thanks, Aaron. My concern was much more that anyone sitting down at the computer when it's logged in can decrypt without a password or anything, which is NOT, to me, protecting from "physical access" NOR the way an encryption should work. This doesn't seem to protect anymore than the usual steps of setting permissions in any meaningful way. If you know that no one will ever have access to your computer, you don't really need encryption; I assume most people use encryption (as I do) to prevent others from seeing a file even if they should gain access.
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick | |
Vig
Thread-safe since 1997
Premium
join:2004-03-23
San Diego, CA
 ·RoadRunner Cable
| The one case this does protect against is someone gaining physical access to the machine that is not logged in at the time. If someone can walk up to the machine and grab the hard drive or somehow take some files off of it without being able to log in, he would then have to crack the account credentials to see the encrypted files.
I guess I don't agree with the assumption that anyone gaining physical access would be able to do so with the account logged in and waiting for him. File encryption of this type would offer some protection, at least for someone conscientious enough to lock the terminal before walking away.
Whether it makes sense to have an encryption scheme without a dedicated password (rather than using the account login credentials as this does) is a different topic. Personally, I would be more comfortable with a separate password for file encryption, but I don't think it's absolutely necessary in order for the encryption to have value.
--
Visit the land of the never-setting sun | |
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
| Right. The EFS model seems to me to be protecting against theft. It implicitly assumes that while the computer is operational, the data are adequately protected by the operating system, which in this OS means usernames/passwords/permissions. But the operating system can't help when it's not running (disk placed in different machine, other OS installed on same disk as means to get at protected data, etc.) and that's what EFS is for.
EFS will protect files on your stolen laptop, but not if you have that laptop configured for automatic login.
I'm not saying that a desire for an explicit password is invalid, but that's not the situation that EFS is designed for. | |
altermatt
Premium
join:2004-01-22
White Plains, NY
·Verizon Online DSL
| said by dave : But the operating system can't help when it's not running (disk placed in different machine, other OS installed on same disk as means to get at protected data, etc.) and that's what EFS is for. If I use permissions to let only "harry" have access to a file, I was assuming that one has to be logged in as "harry" to have access to it. But now I'm understanding that putting the disk in another machine, without harry's credentials, still givse the thief access to the file? Once the disk is on another machine, the permissions aren't enforced? So that is what EFS can do?
Still seems like a limited tool when other encryption programs, even PGP, let you encrypt a file so that in the same machine OR another machine, no one can access it without the password and key, right?
Thanks for the explanations, guys; I think I understand EFS a bit better now, though obviously I'm still not quite convinced of its value compared to most other encryption programs. I should think that the likelihood of someone removing the hard drive, especially from a laptop, to recover files is low compared to someone gaining access to the account when a worker walks away from his machine. I'd always assumed EFS used a password. Live and learn  .
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick | |
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
| said by altermatt :If I use permissions to let only "harry" have access to a file, I was assuming that one has to be logged in as "harry" to have access to it. Yes, but. Anyone who has administrator access to that machine can forcibly seize ownership of the file, and change the permission.
So your privacy is limited by the trust you place in other people who have admin access to the machine. If you're the only admin, you're safe. Others, no so much.
But now I'm understanding that putting the disk in another machine, without harry's credentials, still givse the thief access to the file? Yes, in the sense that the thief will surely have admin access on his machine. So he can take ownership of the files on the stolen disk, change the permissions, and see them.
The same thing is true if I simply reinstall the OS from scratch on a stolen computer, probably your laptop. I'm now the admin. Your files are mine. I don't need to remove the disk - the real risk is 'accessing the disk from an OS I control'.
Once the disk is on another machine, the permissions aren't enforced? Yes, they're enforced. But what you can't control is who gets administrative control.
Ultimately, an admin gets to do what he likes with file ownership, one way or another. This 'hole' in the protection system is a necessary one; otherwise there would be cases where you'd be unable to get at files because the owner couldn't be there (forgot his password, got run over by a bus, got fired, etc).
So that is what EFS can do? Yes.
Still seems like a limited tool when other encryption programs, even PGP, let you encrypt a file so that in the same machine OR another machine, no one can access it without the password and key, right? You say 'limited', I say 'well-integrated and doesn't keep bugging me for the damn password it already knows'
Especially since on my work machines I often run programs when I am not sitting at the computer. (I don't keep the disk encrypyted, but if I did, a type-the-password solution would be a serious inconvenience).
It just depends on what you're trying to achieve. You're thinking in terms of one or two files, I suppose. Imagine a file system with thousands of files encrypted, that were in frequent use. Are you going to get prompted for every file opened? | |
altermatt
Premium
join:2004-01-22
White Plains, NY
·Verizon Online DSL
| Thanks, Dave. I really didn't know you couldn't set permissions to include JUST a user and not the admin.! So learned even more than about EFS.
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick | |
BandHeight
join:2004-08-30
Portland, TX
| reply to altermatt
said by ahulett :You can export this certificate so that if down the road the user account becomes lost/corrupt/etc you can import the certificate to another account and access files encrypted by it. Hope this helps, Aaron said by altermatt :Thanks, Aaron. My concern was much more that anyone sitting down at the computer when it's logged in can decrypt without a password or anything ... Aaron's advice is actually extremely important once you have gone down the EFS road. It is not uncommon for people to ignore the fact that their encrypted files are tied directly to a specific user account, and modifying or removing that user account will cause you much grief (the data loss kind) unless you have taken the necessary precautions.
Here are some links to best practices and general info for safely using EFS:
»www.microsoft.com/technet/securi···efs.mspx
»support.microsoft.com/kb/223316
And if things go bad before you implement best practices:
»www.beginningtoseethelight.org/efsrecovery/ | |
altermatt
Premium
join:2004-01-22
White Plains, NY
·Verizon Online DSL
| Bookmarking those links, BandHeight, not because I think I'd ever need them, but because I know a lot of noob friends who seem to crave playing with these technologies for the sole purpose of screwing them up and calling me in a panic . Thanks.
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick | |
|
