Re: Data on sensitive computers

["Schmidt, Eric W" <erschmid () IUPUI EDU>]

I forwarded this email to one of our Network and Security Managers who's
been heavily involved in deploying EFS throughout his department.  I
asked him what he thought of this email exchange and his thoughts on
EFS.  Here's his response:
-----------------
I was at a SANS training class and the person (he was extremely
knowledgeable...worked in the military with hands on computer security
and encryption for years) who was the trainer thought EFS was very
secure when used and deployed correctly.

> From what I have read the encryption process itself is not weak (256-bit
AES for XP), but there are some "features" that Microsoft adds for
recovery that can be exploited. For instance, there are some "features"
with stand-alone systems that can be exploited, but domain member
systems are more resistant to those exploits (with best practices
applied). 

A 3rd party encryption method could be worth exploring and EFS
represents something we can use now for "free". There are also best
practices to EFS deployment that mitigate some of the known EFS exploits
(which may be what that software is doing).
-----------------

_____________________________________ 
ERIC W. SCHMIDT, CISSP, CISM 
Chief Security Officer 
Indiana University School of Medicine 
Office:  317-278-8751 
Cell:  317-696-5340 
Email:  erschmid () iupui edu 



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave Koontz
Sent: Friday, April 22, 2005 2:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Data on sensitive computers

While Windows EFS may be "less vulnerable" than un-encrypted files, I
would personally opt for stronger products like PGPDisk, SecurStar's
DriveCrypt / DriveCrypt Plus Pak, StrongDisk, BestCrypt, etc.

If my understanding is correct, EFS is a very weak encryption process
and can be easily defeated by various commerical or free products.

For example, consider the ElcomSoft "Advanced EFS Data Recovery"
product.
http://www.elcomsoft.com/aefsdr.html.  While I've not experimented with
this program or others like it, their mere existence makes me very leary
of Microsoft's encryption.

--- PRODUCT DESCRIPTION ---
Advanced EFS Data Recovery (or simply AEFSDR) is a program to recover
(decrypt) files encrypted on NTFS (EFS) partitions created in Windows
2000, Windows XP and Windows Server 2003. Files are being decrypted even
in a case when the system is not bootable and so you cannot log on,
and/or some encryption keys have been tampered. Besides, decryption is
possible even when Windows is protected using SYSKEY. AEFSDR effectively
(and instantly) decrypts the files protected under all versions Windows
Server 2003 (Standard and Enterprise), Windows XP (including Service
Packs 1 and 2) and Windows 2000 (including Service Packs 1, 2, 3 and 4).




-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
Sent: Friday, April 22, 2005 1:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Data on sensitive computers

Has anyone implemented the Encrypting File System under Windows laptops
to make the data less vulnerable to theft?
At 09:43 AM 4/22/2005, Samuel Liles wrote:
>  -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jon E. Mitchiner
> Sent: Friday, April 22, 2005 9:36 AM
>
> This brings up interesting questions.  Are there security measures that

> your school takes to protect sensitive computers/laptops/hard drives 
> (such as Accounting, Health Services, etc?)
>
> Do you force all sensitive data to be saved on a remote server in a 
> secure location (perhaps utilizing Terminal Services)?  I am starting 
> to wonder if this is something that we should investigate into with 
> sensitive departments so if the hard drives are stolen then we'd like 
> to know there's not much we should be worried about.
>
> -----End Original Message-----
>
> Since I have some of the same issues that the UC Berkley Prof was 
> discussing I've been looking at 
> http://www.pointsec.com/core/default.asp as a possible solution.
> Unknown at this point if it would actually work, if there is a 
> performance hit, or other issues. It would be nice to get for 
> evaluation. It would seem to solve the Knoppix CD in the CDROM drive
issue.
Along with BIOS passwords, Grub Passwords, and encrypted file systems.
> --------------------------
> Sam Liles

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.