Can encrypted data be accessed if connected as slave drive.

netcomp
netcomp used Ask the Experts™
on
I already know that If you connect a hard drive as slave drive in another comptuer you can gain access to all the data regardless of not have windows user account info.

Now, What if a folder in encrypted in XP ? Would anyone be able to remove the hard drive from that computer and connect to another computer and gain access to any encrypted folder that. We are not using any third party tools, just windows XP encryption.(EFS)

It seems like Vista does not have this problem since it encrypt the entire drive and can use hardware encryption.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
No. Not without the password or breaking the encryption.
Dave HoweSoftware and Hardware Engineer
Commented:
ok, conditionally yes. but not as badly as you might think

In EFS, files are encrypted to a randomly generated DESX key, which is then itself encrypted to a X509 certificate. In turn, the X509 certificate is stored in the user profile of the user encrypting the file, the secret password for which is secured with the user's login password.

This being true, then if the same user is logged into another machine (assuming AD; if the machines are standalone, the EFS x509 keys will be different between machines) AND can access the EFS file via file share or physically mounting the drive, he can unlock and read the file.

Another user can't do this, and resetting the user's password in AD does not gain access to the X509 certificate - in fact, it breaks the link and halts all access to the protected files until the user's password is again changed back to the original.

One final path is the "recovery agent" - it is possible to set, using GPO, a second X509 cert to be used for EFS encryption *in addition to* the user's own - the user possessing this X509 cert can therefore access the protected files in any situation where he can gain direct access to them (file share, backup, or drive mount). It is also possible to recover an X509 cert (if you know the password for it) using the efs key software from passware, and unlock the files in a failure recovery scenario (for instance, if windows can no longer boot)
Dave HoweSoftware and Hardware Engineer

Commented:
as an aside, the whole drive encryption in vista, when locked with Trusted Computing, is dangerous in a corporate environment (in that cold backups can't be successfully restored to another machine, nor can you recover data in a failure recovery scenario, but in that they offer *no* protection when the machine is booted and logged in by another user)

EFS is the preferred per-user encryption method, bitlocker a poor alternative.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

ParanormasticCryptographic Engineer
Commented:
As typical, agreeing with Dave...  just adding a little extra for flavor... whole hard disk encryption is indeed the way to go for protecting against physical intrusion, but offers nothing once the drive is booted up in operation and on the network - that is where EFS, encrypted zip files, email encryption, etc. come into play.  Some will disagree that EFS is "the preferred" method but rather a caveat-ridden solution that tends to work well for a lot of folks:)  Its both, in reality - for what it does and how it does it, there isn't a good alternative for the automation and user experience, even if it is complicated on the adminstrative side.

As with any technology, the implementation can make anything vulnerable or undesirable.  A number of folks around here swear by TrueCrypt, and opensource whole disk encryption program.  There are certainly other products, such as winmagic and a lot of others that are in the data protection market such as mcafee and symantec, and extensions to them that can be used.

One such extension is having a Trusted Platform Module (or "TPM") chip on the motherboard that acts as a smartcard or interacts with a smartcard, which provides that only the host motherboard is able to decrypt the data to boot, along with the users PIN and maybe smartcard. These are starting to be more common by default in systems - if you have one, look into it.

As Dave touched on, it is almost as important to keep others from reading your company's data as it is for you to read it.  You need to make sure that you have an enterprise recovery method for any encryption method you use, or you are just asking for problems.  Part of that is testing it and whatever it may affect - as in the example of restoring a backup to another box.
Dave HoweSoftware and Hardware Engineer

Commented:
Paranormastic:

    I guess it depends on who is doing the preferring. Personally, I use truecrypt volumes, 7-Zip archives, and php/smime - but that's because *I* like to control what *I* am doing with *my* data.

  However, in a corporate environment, often the business wants to control that - which means centralized, AD based control with a recovery agent defined; there are other solutions, but none which integrate as well into windows (and again, corporate means windows almost exclusively these days, despite the superior alternatives). There are other solutions - for example, securewave sanctuary's ability to force-encrypt removable devices such as usb drives so the data on them is unreadable except when connected to a corporate laptop or desktop - but none which have the advantages of coming "free" with windows, performing OTF encryption/decryption transparently to the user while appearing as normal files in the file structure, and allowing transfer to and from windows servers (and backup tapes) without losing their encrypted status.

ParanormasticCryptographic Engineer

Commented:
Agreed with home product selection...

For a corporate solution I really like securezip for cert based encryption/signing of zip files - its pretty slick and enterprise ready.  Nothing else quite measured up.

>>  securewave sanctuary's ability to force-encrypt removable devices

This product is new to me... part of the fun of hanging around here.  However, I see a big caveat of what is preventing the user from just formatting it on their home system and then using it at home and at work?  Or "loosing" it and getting reissued a 2nd one (unless company charges full retail for replacements) if there is some kind of setting for it to only read encrypted disks?  hopefully it isn't using a common keyset across the enterprise, I would presume they have their own rudimentary CA and hopefully can interoperate with a proper internal CA.

"Enterprise ready" is the tool of the devil.  Products must be released to cover a need, even if there are the occasional annoyance or vulnerability - such is the way of life.  Heck, even the MS Enterprise CA itself, comprising 90-something percent of the CA market for the last 5-10 years has its holes.  2003 took over the CA world, but even Win2k CA which was obvious in its lacking of features, so was only somewhat used but still managed to dig hard into entrust, baltimore, keon, etc. which are infinitely more complex than MS CA, but also more secure as their security officer roles were not the enterprise admins.  You get very nice autoenrollment functionality and such at the cost of having no control over your own environment in very large companies that can actually manage to have a specialized PKI team.  Sorry, getting a little off topic here...
Dave HoweSoftware and Hardware Engineer

Commented:
no, quite the opposite - any removable media inserted into a corporate machine is fine up to the point you try to write to it - at which point, it is encrypted, and can no longer be accessed other than from a machine with the securewave software on it (or certain device types just won't be permitted - so if you connect up, say, an ipod, it may give you read only access or refuse to recognise it)

securewave messes with the drivers installed, and either installs itself as a lower filter or replaces the drivers with its own "wrapper" driver, whichever is easier for it.
ParanormasticCryptographic Engineer

Commented:
Interesting, I'll have to look at it more.  I think I would like it better if there were some (at least optional) method for inventory control - i.e. only encrypt if the s/n is on the approved list from manufacturer xyz, else deny - you get the idea at least even if that isn't the best way to implement.

I would assume it is using asynchronous encryption somehow, maybe a machine cert hosting the private key and the public key gets injected to the fob?  I would hope there is a DRA of some kind, a corporate keyset, that is also used.
Dave HoweSoftware and Hardware Engineer

Commented:
yes, you can do that - you can specify different rules for different machines, different makes/models of usb device, different users even...

its powerful software, but not cheap.
ParanormasticCryptographic Engineer

Commented:
Sounds pretty nifty...  price isn't an issue around here, its getting the right product and doubly so getting someone high enough to be convinced that there is an actual need based on their standards of what is needed:p  Sounds pretty cool though, definitely worth a further personal look at least...  

netcomp - sorry for taking over your thread here... hopefully dave and/or myself had already answered your question - if not please followup.  Otherwise feel free to close this off any time :)
ParanormasticCryptographic Engineer

Commented:
(or coral47 - sorry missed the first post!)
_

Commented:
I'm good. It was an interesting discussion.   ; )

Author

Commented:
Thank you all,I learned a lot. More than I thought.....
_

Commented:
Thank you much.   : )

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial