Tech Off Thread

2 posts

Encrypting File System (EFS): deployment, best practices and techniques to avoid attacks

Back to Forum: Tech Off
  • User profile image
    Charles

    If you are interested in file system encryption, this may be of interest...

    http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032248127&Culture=en-US


    Enjoy,

    Charles

  • User profile image
    prog_dotnet

    Thanks a lot...I think people need to be educated on efs best practises.
    You should make an efs hardening guide also. 
    The accelerated use of the Advanced EFS Data Recovery tool makes it harder to stay safe. 
    Mocs and self paced study guides does not worn people about possible attacks. 
      
    Introduction

    Advanced EFS Data Recovery (or simply AEFSDR) is a program to recover (decrypt) files encrypted on NTFS (EFS) partitions created in Windows 2000, Windows XP and Windows Server 2003. Files are being decrypted even in a case when the system is not bootable and so you cannot log on, and/or some encryption keys (private or master) have been tampered. Besides, decryption is possible even when Windows is protected using SYSKEY. AEFSDR effectively (and instantly) decrypts the files protected under Windows Server 2003 (Standard and Enterprise), Windows XP (including Service Pack 1) and all versions of Windows 2000 (including Service Packs 1, 2, 3 and 4).


    = Requirements

    - Windows NT 4.0, Windows 2000, Windows XP or Windows Server 2003
    - Administrator privileges (for direct disk access).


    = Known problems and limitations

    - The program can decrypt protected files only if encryption keys (at least, some of them) are still exist in the system and have not been tampered.
    - Only "Basic" (but not "Dynamic") NTFS partitions are supported.
    - For files encrypted on Windows 2000, if Account Database Key (SYSKEY) is stored on floppy disk, or if "Password Startup" option has been set, you should know/have one of the following in order to be able to decrypt the files:
      - startup password or startup floppy disk
      - the password of user who encrypted the files
      - the password of Recovery Agent (if one is availbale)
    - If password of the user (who encrypted the files) have been changed after encryption, you may need to enter the old password into the program.
    - If files were encrypted under Windows XP (with or without SP1) or Windows Server 2003, the password of user who encrypted the files (or Recovery Agent) is needed for decryption.
    - The program has been tested only on files encrypted under U.S. version of Windows; if any other (international) version has been used, correct work is not guaranteed.

     

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.