[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Question on EFS in XP

Posted on 2006-06-20
7
Medium Priority
?
471 Views
Last Modified: 2010-05-18
one of the features (as listed in the XP Help and Support Center):
* Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.

does this mean that all someone has to do is copy the file to something other than NTFS and the encryption is broken?  if so, what's the point of EFS?

also, if someone removes the password on a user's account by force (not through control panel->user accounts), will that person have access to encrypted file contents?  what if the password is just removed in control panel->user accounts?

i am trying to determine if EFS is sufficient for protecting HR files in case a computer is stolen.
0
Comment
Question by:zephyr_hex (Megan)
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 7

Assisted Solution

by:MessHallMan
MessHallMan earned 200 total points
ID: 16944436
I personally would not depend on EFS for the storage of any sensitive data. There are too many programs that can crack the passwords.  If you are looking to store sensitive data on a laptop, I would recommend looking at a third party encryption program.
0
 
LVL 12

Assisted Solution

by:fruhj
fruhj earned 200 total points
ID: 16944471
Hi zephyr_hex,
> one of the features (as listed in the XP Help and Support Center):
> * Encrypted files can become decrypted if you copy or move the file to
> a volume that is not an NTFS volume.

True if the user who encrypted the file is the one doing the copy.
i

Thanks!
0
 
LVL 44

Author Comment

by:zephyr_hex (Megan)
ID: 16944521
ok, so if someone were to steal my computer and copy the file to FAT32, they would not break the encryption?

also, what about the user account password?  if that is removed, is the encryption broken?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 44

Author Comment

by:zephyr_hex (Megan)
ID: 16944545
ok .. i may be able to answer part of the question myself...
the private key should be exported to removeable media whenever the computer is not in use.  this way, even if the computer is stolen, the encryption is not broken.  when a valid user wants to use the computer, they should import the private key from the removeable media.
0
 
LVL 69

Assisted Solution

by:Callandor
Callandor earned 200 total points
ID: 16944624
See http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/encrypt_overview.mspx?mfr=true

Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.
 
Moving unencrypted files into an encrypted folder will automatically encrypt those files in the new folder. However, the reverse operation will not automatically decrypt files. Files must be explicitly decrypted.
0
 
LVL 59

Accepted Solution

by:
LeeTutor earned 1400 total points
ID: 16944949
Also see this:

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Copying, Moving and Saving Encrypted Files

Because of the unique nature of encrypted files, different results can occur when moving or copying encrypted files between locations. For example, when copying an encrypted file from a local machine to a server on the network, different results of the copy operation will occur depending on the operating system being used on the server. In general, copying a file will inherit the EFS properties of the target, but a move operation will not inherit the EFS properties of the target folder.

When copying an encrypted file:

• If using Windows 2000 and the target server is running Microsoft® Windows NT Server 4.0, the file will be silently decrypted and copied to the server. If using Windows XP or Windows Server 2003, the user will be warned and prompted to allow the decryption operation.
 
• If the target server is running Windows 2000 or Windows Server 2003, and the machine account of the server is trusted for delegation in the Active Directory, the file will be silently decrypted and copied to the server where it will be re-encrypted using a local profile and encryption key.

Note The file is transmitted on the network between the client and the server in an unprotected format. If this file contains confidential information, care should be given to ensure that the network connection also provides secure transmission of the data. Such network data protection might include IP Security (IPSec).
 
• If the target server is running Windows 2000 or Windows Server 2003 and the machine account of the server is not trusted for delegation in the Active Directory, or the server is in a workgroup or a Windows NT 4.0 domain, the file will not be copied and the user will receive an "access denied" error message.
 

The "access denied" error message is returned to applications from the NTFS file system in order to ensure compatibility with existing applications. The use of an alternate or more descriptive error message would cause many applications to fail or behave erratically.

The Windows XP Professional client contains some enhancements in the area of copying encrypted files. Both the shell interface and the command-line now support an option to allow or disallow file decryption. When an encrypted file is copied to a target location that does not allow remote encryption, the user will be prompted with a dialog box that allows a choice of whether or not to decrypt the file.

The command-line tools , XCOPY and COPY, allow the same behavior through a special parameter switch to allow decryption on the copy operation.

C:\>copy /? (Copies one or more files to another location.)

COPY [/D] [/V] [/N] [/Y | /-Y] [/Z] [/A | /B ] source [/A | /B]  
[+ source [/A | /B] [+ ...]] [destination [/A | /B]]  
source    

(Specifies the file or files to be copied.)

/D (Allows the destination file to be created decrypted.)

Note : This will allow a file to be created in plain text on the destination location/server if remote encryption is not supported on the target server.

C:\>xcopy /? (Copies files and directory trees.)

XCOPY source [destination] [/A | /M] [/D[:date]] [/P] [/S [/E]] [/V] [/W]  
       [/C] [/I] [/Q] [/F] [/L] [/G] [/H] [/R] [/T] [/U]  
       [/K] [/N] [/O] [/X] [/Y] [/-Y] [/Z]  
       [/EXCLUDE:file1[+file2][+file3]...]  
source    

(Specifies the files to copy.)

destination (Specifies the location and/or name of new files.)  

/G (Allows the copying of encrypted files to a destination that does not support encryption.)

Note Windows Server 2003 and Windows XP Service Pack allow for a registry setting that will allow files to be decrypted silently by applications or by using the command-line without the additional command-line parameters. To set this option create the following registry DWORD value:

HKLM\Software\Policies\Microsoft\Windows\System\

DWORD Name: CopyFileAllowDecryptedRemoteDestination

Value: 1

Saving Files with EFS File Sharing

When a file has been encrypted for multiple users, an application must call a specific API to ensure that the encryption data (certificates) for the additional users is not lost when the file is opened, modified and saved in its native application file format. Native documents opened with Microsoft Office XP will retain the multi-user EFS status while other applications may remove the additional users that were added to the file. Consult the manufacturer of your specific application for more details about its interoperability with EFS.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 16945482
And from the same link I gave above, this passage about passwords should answer your other questions:

Resetting Local Passwords on Windows XP
Windows XP has new behavior regarding locally changed passwords and EFS. In Windows 2000, when a local user password was reset by an administrator, the administrator or third party could theoretically use the newly changed account to log on as the user and decrypt the encrypted files. In Windows XP, the changing of a local user password by an administrator, or through a method other than by the user, will block all access to previously encrypted files by the user.

In summary, the profile and keys of the user will be lost and will not be available to the account with the reset password. Windows XP gives the following warning when attempting to reset a user account password:

Warning Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the user's password is reset.

This feature helps to guard against offline attacks and prevents rogue administrators from gaining access to encrypted files of other users.

0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question