funsec mailing list archives
Re: Microsoft shutters Windows private folders
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Sun, 16 Jul 2006 23:17:46 -0400
On 7/16/06, Peter Kosinar <goober () nuf ksp sk> wrote:
> Weither or not you have good or evil admins they are not gods. > Just because they administer networks and systems doesn't > mean that should have access to the data on the systems and > the network they administer. > > Either way... there's no such thing as absolute security and > using EFS, Private Folders, other data encryption mechanisms > makes it much harder to compromise data confidentiality. Right but it has already been pointed out that it's virtually impossible to protect the data from the evil admin (yes, proper infrastructure -can- help a lot but, as you've said, there is no such thing as absolute security). Moreover, the C*O's are very often a bit strange people -- WHEN they forget/delete their password/passphrase/secret key/..., they EXPECT help from the very admin they were trying to protect their data from and even BLAME him/her for their own mistake if (s)he can't help. > If I use the same logic about bypassing protection mechanisms > than I can say that a safe in a secret bunker with an army of guards > can't protect CEO's data either... All I have to do is inject him with > a poison that activates within 2 hours if an antidote is not given... Right. It's the weakest link that matters, not the strongest one. If it is the machine, it'll get attacked. If it is the CEO, (s)he'll get attacked.
The reason I was against the inclusion of private folders was not because it hides data, but simply due to the fact that someone who didnt know what they were doing would potentially have access to encryption software. It can be installed by a tech if its required, but giving that capability by default to every windows user you have can lead to bad things. I had a scary incident with an encrypted folder and a high level end user. His wife told him about windows encryption and we hadnt explicitly disabled it with a GPO, so he promptly encrypted a file and forgot his password. He was a little embarrassed about it, and I only found out due to the roaming profile and the fact that we couldnt get a successful backup. Luckily EFS is cheesy and the domain admin can unlock everything, but can you imagine if it was a good implementation of an encrypted file system? -JP<who is glad you have to be a local admin to turn on bitlocker, but still wants a GPO to disable it altogether> _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Microsoft shutters Windows private folders Richard M. Smith (Jul 16)
- Re: Microsoft shutters Windows private folders Dude VanWinkle (Jul 16)
- Re: Microsoft shutters Windows private folders Ahmad Elkhatib (Jul 16)
- Re: Microsoft shutters Windows private folders Peter Kosinar (Jul 16)
- Re: Microsoft shutters Windows private folders Dude VanWinkle (Jul 16)
- Re: Microsoft shutters Windows private folders C Q (Jul 16)
- Re: Microsoft shutters Windows private folders Peter Kosinar (Jul 16)
- Re: Microsoft shutters Windows private folders Dude VanWinkle (Jul 16)
- Re: Microsoft shutters Windows private folders Valdis . Kletnieks (Jul 16)
- Re: Microsoft shutters Windows private folders C Q (Jul 16)
- Re: Microsoft shutters Windows private folders Valdis . Kletnieks (Jul 16)
- Re: Microsoft shutters Windows private folders C Q (Jul 17)
- Re: Microsoft shutters Windows private folders Valdis . Kletnieks (Jul 17)
- Re: Microsoft shutters Windows private folders Drsolly (Jul 17)
- R: Microsoft shutters Windows private folders Cornali Remo (Jul 18)
- Re: R: Microsoft shutters Windows private folders Drsolly (Jul 19)
- Re: Microsoft shutters Windows private folders Ahmad Elkhatib (Jul 16)
- Re: Microsoft shutters Windows private folders Dude VanWinkle (Jul 16)
- Re: Microsoft shutters Windows private folders Andrew (Jul 18)
- RE: Microsoft shutters Windows private folders Blanchard_Michael (Jul 18)