RE: Protect folder data.

["Rick Darsey" <rdarsey () aims1 com>]

EFS can be comprimised if you have Admin access to the box.  There are
several tools that will reset the admin password on a Windows 2000 system.
Once this is done, you log in as admin and add the admin user to the
Encrypted Files Recovery Agent group, and you are in.

This said, if you can lock down Admin rights to the workstation, and there
is not a domain policy in place that will over-ride it, you will have a
fairly strong encryption.  The Sys Admin can probably still get into the
files through the method mentioned above, but he will have to be at the
workstation to do it. I am assuming that the original poster of this
question wants to prevent un-authorized access from the LAN, and from normal
usage on the workstation.

Any software that he may use to lock the files can be broken by a person
with enough knowledge.  I hardly think that a local sys admin will have
access to the brute force type that the FBI used.  There is no completely
secure method of protecting data short of disconnecting the system from any
outside access, and keeping the workstation with you at ALL times.

Rick
MCSE, MCSA, CUSA, ACE

-----Original Message-----
From: Nero, Nick [mailto:Nick.Nero () disney com]
Sent: Tuesday, November 26, 2002 12:59 PM
To: dennis; security-basics () securityfocus net
Subject: RE: Protect folder data.


Yep, you are correct.  It is RC4-40bit, I believe.  Problem is, it is
NOT just password protected.  It uses a mini-PKI (unless you have a real
PKI) and only that user's cert or the admin's can recover it.  If both
certs are lost, so is your data.

As a side, the laptop recovered last fall by a reporter from CNN that
was formally a computer used by Al-Qaeda had the hard drives encrypted
with Win2k EFS.  The FBI was able to brute force the 40bit keyspace in a
week and discover the data!

Nick Nero
CISSP, MCSE, CCNA

-----Original Message-----
From: dennis [mailto:dennis () unixqi com]
Sent: Tuesday, November 26, 2002 4:23 AM
To: security-basics () securityfocus net
Subject: Re: Protect folder data.


Doesn't Win2K's encrypted file system support this?
Sorry if I'm wrong, not a Windows kinda guy.


----- Original Message -----
From: "Shane Lahey" <s.lahey () roadrunner nf net>
To: <tony572000 () hotmail com>; <security-basics () securityfocus net>
Sent: Friday, November 22, 2002 10:29 AM
Subject: RE: Protect folder data.


> Why not try Blowfish Advanced CS , available at http://come.to/hahn
> This should do exactally what you want.
>
>
> -----Original Message-----
> From: Tony - CIA;CISA;CDP;CPA;MBA [mailto:tony572000 () hotmail com]
> Sent: November 18, 2002 8:00 PM
> To: SECURITY-BASICS () SECURITYFOCUS COM
> Subject: Protect folder data.
>
>
> Hi,
>
> I have some highly confidential data that I frequently access on in a
> folder that is on my desktop computer (ie win2k).  I want to make sure

> no one but
> me will able to see this data.  Does anyone know of any
> freeware\shareware
> that will 1) en-crypt the data in the folder and/or  2) require a
> password
> to open up the folder?  I need to make sure a person like our lan
admin
> or
> desk top support person can not figure out a way to get to the data.
>
> Tony CIA,CISA,CDP,MBA
>
>
>
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
> http://join.msn.com/?page=features/virus
>
>
> ---
> Incoming mail has been scanned for viruses and is certified Virus
> Free. Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.422 / Virus Database: 237 - Release Date: 11/20/02
>
>
> ---
> This email has been scanned for viruses and is considered Virus-Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.422 / Virus Database: 237 - Release Date: 11/20/02