Re: The ugly side of using disk encryption

["Kevin Tunison" <ktunison () gmail com>]

--Use this info at your own risk--

My apologies if it sounds patronizing at times.

Forget about roaming profiles on those laptops and encryption...

If you are using Windows XP Pro SP2, EFS (Encrypted FileSystem)
enables FIPS compliant AES encryption by default.

You can ensure AES is used by going through group policy:

Computer Config, Windows Settings, Security Settings, Local policies,
Security Option.  In a domain make sure this is not over-ridable.

What your solution doesn't address is the paging file, which will be
an unecrypted source for those Office documents.  You can encrypt the
entire drive except files marked with a 'sys' attribute (All this must
be NTFS), but expect a significant performance decrease.  You can
backup the keys with the cipher command (run cipher /?) easily.  There
you have your recovery agent.  As for the paging file, set it to have
the same value for the min and max size, and enable the registry
setting to make sure it's wiped (or script a cipher.exe command if
that's possible - I am not sure about that).  Also think about
hibernation files, system restore, temp folders, print spools...
anywhere remanents of that sensitive data that could be available
unencrypted.

To take it another step, enable local computer policy to enforce a
short-time to change passwords, enforce long passwords, remember a
large number of passwords, and disable caching logon credentials.  You
must be careful here, because resetting that local password will wipe
any data not backed up!  Also, if EFS gets disabled on the laptop
through group policy, those files are gone from the machine.

http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c18621675.mspx
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx

One last link which has a good breakdown of EFS.

http://www.xpforum.co.uk/forums/technical-reference-library/1912-guide-encryption-efs.html

You will come across some software toting to be able to crack EFS no
problem etc etc.  Pre SP1, EFS used a very weak form of encryption
(XDES or something).  There is speculation that AES has been cracked
as well, but it is just that, speculation. Acutally, what the story
is, is that the brute force method can be taken down a few powers
(Still mathematically leaving umptee-ump years/decades before brute
forcing) BUT, there must be realtime access to the OS datastream.
What encryption is intended to do is not be impenetrable, but making
cracking of the encryption hard/long enough that the data once
recovered would then be past its 'sell-by' date.

Lastly, encryption for road warriors is paramount, but it's not the
only thing.  If you have competitors that you are fairly certain have
the means to make a concerted effort to acquire corporate secrets,
then encryption is just one small aspect.  Security as a hole for the
entire organization must be addressed (only strong as your weakest
link).

Depending on time-constraints that users are in the field, it's also
feasible to gear up an -auto-reinstall- on the machine after sending
(encrypted of course) off or backing up the sensitive data.

On 10/22/06, Will Yonker <aragonx () dcsnow com> wrote:
> This thread has finally got me off my butt.  I have been meaning to create
> some sort of encryption standard for a few customers but encryption really
> isn't my area.
>
> So here is the question:  What is the best way to encrypt data?
>
> A broad question, I know.  Let me narrow it down.
>
> 1)  Some users work with sensitive data on their laptops when in places
> where network access is unreliable.
> 2)  This is data that would be useful to competitors.  It could be
> financially beneficial for these competitors to hire professionals to gain
> access to any data that might be stored on the laptop.
> 3)  The data can be in the gigabytes but not more than 10 GB.
> 4)  Speed of the decryption is not a large factor.
> 5)  Some of the files will be MS Word and MS Excel documents.
> 6)  All machines are running Windows XP.
>
> Now, I've taken a look at TrueCrypt and figured that a three cypher,
> hidden volume, passphrase + key stored on USB stick to be the best that I
> could do.  I was also playing with the idea of installing TrueCrypt only
> on the USB stick so the attacker would have to guess what was used to
> create the hidden volume if they found it.
>
> Is this the best approach?  Is there more that I could do to easily
> enhance the security?  Do I need to worry about clearing something off the
> C:\ drive like the system cache?
>
> I'm guessing a medium sized corporation would be willing to put more
> effort into obtaining the data than the government did with this guy.
> Most have a powerful cluster at their disposal so I guess they could brute
> force it.  Is there a way I can make that take longer?
>
> I know there is no perfect solution, just ways to slow down the attackers.
>
> As always, any help would be appreciated.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------