Question on EFS in XP

one of the features (as listed in the XP Help and Support Center):
* Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.

does this mean that all someone has to do is copy the file to something other than NTFS and the encryption is broken?  if so, what's the point of EFS?

also, if someone removes the password on a user's account by force (not through control panel->user accounts), will that person have access to encrypted file contents?  what if the password is just removed in control panel->user accounts?

i am trying to determine if EFS is sufficient for protecting HR files in case a computer is stolen.
LVL 44
zephyr_hex (Megan)DeveloperAsked:
Who is Participating?
 
LeeTutorConnect With a Mentor retiredCommented:
Also see this:

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Copying, Moving and Saving Encrypted Files

Because of the unique nature of encrypted files, different results can occur when moving or copying encrypted files between locations. For example, when copying an encrypted file from a local machine to a server on the network, different results of the copy operation will occur depending on the operating system being used on the server. In general, copying a file will inherit the EFS properties of the target, but a move operation will not inherit the EFS properties of the target folder.

When copying an encrypted file:

• If using Windows 2000 and the target server is running Microsoft® Windows NT Server 4.0, the file will be silently decrypted and copied to the server. If using Windows XP or Windows Server 2003, the user will be warned and prompted to allow the decryption operation.
 
• If the target server is running Windows 2000 or Windows Server 2003, and the machine account of the server is trusted for delegation in the Active Directory, the file will be silently decrypted and copied to the server where it will be re-encrypted using a local profile and encryption key.

Note The file is transmitted on the network between the client and the server in an unprotected format. If this file contains confidential information, care should be given to ensure that the network connection also provides secure transmission of the data. Such network data protection might include IP Security (IPSec).
 
• If the target server is running Windows 2000 or Windows Server 2003 and the machine account of the server is not trusted for delegation in the Active Directory, or the server is in a workgroup or a Windows NT 4.0 domain, the file will not be copied and the user will receive an "access denied" error message.
 

The "access denied" error message is returned to applications from the NTFS file system in order to ensure compatibility with existing applications. The use of an alternate or more descriptive error message would cause many applications to fail or behave erratically.

The Windows XP Professional client contains some enhancements in the area of copying encrypted files. Both the shell interface and the command-line now support an option to allow or disallow file decryption. When an encrypted file is copied to a target location that does not allow remote encryption, the user will be prompted with a dialog box that allows a choice of whether or not to decrypt the file.

The command-line tools , XCOPY and COPY, allow the same behavior through a special parameter switch to allow decryption on the copy operation.

C:\>copy /? (Copies one or more files to another location.)

COPY [/D] [/V] [/N] [/Y | /-Y] [/Z] [/A | /B ] source [/A | /B]  
[+ source [/A | /B] [+ ...]] [destination [/A | /B]]  
source    

(Specifies the file or files to be copied.)

/D (Allows the destination file to be created decrypted.)

Note : This will allow a file to be created in plain text on the destination location/server if remote encryption is not supported on the target server.

C:\>xcopy /? (Copies files and directory trees.)

XCOPY source [destination] [/A | /M] [/D[:date]] [/P] [/S [/E]] [/V] [/W]  
       [/C] [/I] [/Q] [/F] [/L] [/G] [/H] [/R] [/T] [/U]  
       [/K] [/N] [/O] [/X] [/Y] [/-Y] [/Z]  
       [/EXCLUDE:file1[+file2][+file3]...]  
source    

(Specifies the files to copy.)

destination (Specifies the location and/or name of new files.)  

/G (Allows the copying of encrypted files to a destination that does not support encryption.)

Note Windows Server 2003 and Windows XP Service Pack allow for a registry setting that will allow files to be decrypted silently by applications or by using the command-line without the additional command-line parameters. To set this option create the following registry DWORD value:

HKLM\Software\Policies\Microsoft\Windows\System\

DWORD Name: CopyFileAllowDecryptedRemoteDestination

Value: 1

Saving Files with EFS File Sharing

When a file has been encrypted for multiple users, an application must call a specific API to ensure that the encryption data (certificates) for the additional users is not lost when the file is opened, modified and saved in its native application file format. Native documents opened with Microsoft Office XP will retain the multi-user EFS status while other applications may remove the additional users that were added to the file. Consult the manufacturer of your specific application for more details about its interoperability with EFS.
0
 
MessHallManConnect With a Mentor Commented:
I personally would not depend on EFS for the storage of any sensitive data. There are too many programs that can crack the passwords.  If you are looking to store sensitive data on a laptop, I would recommend looking at a third party encryption program.
0
 
fruhjConnect With a Mentor Commented:
Hi zephyr_hex,
> one of the features (as listed in the XP Help and Support Center):
> * Encrypted files can become decrypted if you copy or move the file to
> a volume that is not an NTFS volume.

True if the user who encrypted the file is the one doing the copy.
i

Thanks!
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
zephyr_hex (Megan)DeveloperAuthor Commented:
ok, so if someone were to steal my computer and copy the file to FAT32, they would not break the encryption?

also, what about the user account password?  if that is removed, is the encryption broken?
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
ok .. i may be able to answer part of the question myself...
the private key should be exported to removeable media whenever the computer is not in use.  this way, even if the computer is stolen, the encryption is not broken.  when a valid user wants to use the computer, they should import the private key from the removeable media.
0
 
CallandorConnect With a Mentor Commented:
See http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/encrypt_overview.mspx?mfr=true

Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.
 
Moving unencrypted files into an encrypted folder will automatically encrypt those files in the new folder. However, the reverse operation will not automatically decrypt files. Files must be explicitly decrypted.
0
 
LeeTutorretiredCommented:
And from the same link I gave above, this passage about passwords should answer your other questions:

Resetting Local Passwords on Windows XP
Windows XP has new behavior regarding locally changed passwords and EFS. In Windows 2000, when a local user password was reset by an administrator, the administrator or third party could theoretically use the newly changed account to log on as the user and decrypt the encrypted files. In Windows XP, the changing of a local user password by an administrator, or through a method other than by the user, will block all access to previously encrypted files by the user.

In summary, the profile and keys of the user will be lost and will not be available to the account with the reset password. Windows XP gives the following warning when attempting to reset a user account password:

Warning Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the user's password is reset.

This feature helps to guard against offline attacks and prevents rogue administrators from gaining access to encrypted files of other users.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.