RE: Windows XP security concerns

[Alun Jones <alun () texis com>]

At 12:42 PM 12/20/2001, Geoff Sweet wrote:
> Commenting on the loss of user data below:  I don't think this is a 
> critical issue.  By default Win2K/XP adds the local Administrator as a 
> Encrypted Data Recovery Agent.  So while the pain-in-the-arse factor is 
> there of needing to reset the password via the admin account, any 
> encrypted data won't be lost due to loss of private key.  The 
> Administrator can still recover the data, then the user can re-encrypt it 
> with his/her new credentials.

In case anyone's wondering how this works, the EFS encrypts the file with a 
random key that is then encrypted with the public keys of the owner of the 
file, and all EFS Recovery Agents at the time.  You may have no recovery 
agents, or one or more.  [Windows 2000 requires _one_ recovery agent at 
least, to have EFS].  Check out 
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp 
for more details of the Windows 2000 version - I'm not sure where the XP 
documentation is, but I had this link handy.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun () texis com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.