Educause Security Discussion mailing list archives
Re: Data on sensitive computers
From: "Schmidt, Eric W" <erschmid () IUPUI EDU>
Date: Mon, 25 Apr 2005 08:53:55 -0500
I forwarded this email to one of our Network and Security Managers who's been heavily involved in deploying EFS throughout his department. I asked him what he thought of this email exchange and his thoughts on EFS. Here's his response: ----------------- I was at a SANS training class and the person (he was extremely knowledgeable...worked in the military with hands on computer security and encryption for years) who was the trainer thought EFS was very secure when used and deployed correctly.
From what I have read the encryption process itself is not weak (256-bit
AES for XP), but there are some "features" that Microsoft adds for recovery that can be exploited. For instance, there are some "features" with stand-alone systems that can be exploited, but domain member systems are more resistant to those exploits (with best practices applied). A 3rd party encryption method could be worth exploring and EFS represents something we can use now for "free". There are also best practices to EFS deployment that mitigate some of the known EFS exploits (which may be what that software is doing). ----------------- _____________________________________ ERIC W. SCHMIDT, CISSP, CISM Chief Security Officer Indiana University School of Medicine Office: 317-278-8751 Cell: 317-696-5340 Email: erschmid () iupui edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz Sent: Friday, April 22, 2005 2:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Data on sensitive computers While Windows EFS may be "less vulnerable" than un-encrypted files, I would personally opt for stronger products like PGPDisk, SecurStar's DriveCrypt / DriveCrypt Plus Pak, StrongDisk, BestCrypt, etc. If my understanding is correct, EFS is a very weak encryption process and can be easily defeated by various commerical or free products. For example, consider the ElcomSoft "Advanced EFS Data Recovery" product. http://www.elcomsoft.com/aefsdr.html. While I've not experimented with this program or others like it, their mere existence makes me very leary of Microsoft's encryption. --- PRODUCT DESCRIPTION --- Advanced EFS Data Recovery (or simply AEFSDR) is a program to recover (decrypt) files encrypted on NTFS (EFS) partitions created in Windows 2000, Windows XP and Windows Server 2003. Files are being decrypted even in a case when the system is not bootable and so you cannot log on, and/or some encryption keys have been tampered. Besides, decryption is possible even when Windows is protected using SYSKEY. AEFSDR effectively (and instantly) decrypts the files protected under all versions Windows Server 2003 (Standard and Enterprise), Windows XP (including Service Packs 1 and 2) and Windows 2000 (including Service Packs 1, 2, 3 and 4). -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Friday, April 22, 2005 1:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Data on sensitive computers Has anyone implemented the Encrypting File System under Windows laptops to make the data less vulnerable to theft? At 09:43 AM 4/22/2005, Samuel Liles wrote:
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jon E. Mitchiner Sent: Friday, April 22, 2005 9:36 AM This brings up interesting questions. Are there security measures that
your school takes to protect sensitive computers/laptops/hard drives (such as Accounting, Health Services, etc?) Do you force all sensitive data to be saved on a remote server in a secure location (perhaps utilizing Terminal Services)? I am starting to wonder if this is something that we should investigate into with sensitive departments so if the hard drives are stolen then we'd like to know there's not much we should be worried about. -----End Original Message----- Since I have some of the same issues that the UC Berkley Prof was discussing I've been looking at http://www.pointsec.com/core/default.asp as a possible solution. Unknown at this point if it would actually work, if there is a performance hit, or other issues. It would be nice to get for evaluation. It would seem to solve the Knoppix CD in the CDROM drive
issue. Along with BIOS passwords, Grub Passwords, and encrypted file systems.
-------------------------- Sam Liles
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Data on sensitive computers Kevin Shalla (Apr 22)
- <Possible follow-ups>
- Re: Data on sensitive computers Steve Brukbacher (Apr 22)
- Re: Data on sensitive computers Dave Koontz (Apr 22)
- Re: Data on sensitive computers Schmidt, Eric W (Apr 25)