mailing list archives
Issues with Windows 2000 Encrypting File System and Disk Wipe Software
From: "Security Advice" <security () colmancomm com>
Date: Tue, 26 Jun 2001 07:09:19 +1000
Microsoft has released a new tool to address issues with Encrypting File
System under Windows 2000 found by Colman Communications Consulting.
The information contained within this advisory is provided as is with no
warranty of fitness implied or otherwise. By making use of the information
you agree to do so entirely at your own risk and indemnify Colman
Communications Consulting Pty Ltd against any damage which may result.
The vulnerabilities present in EFS are summarised thus:
1. Files which are moved into an encrypted folder, or are present as plain
text prior to a directory being encrypted, have a plain text copy made. In
addition plain text fragments of the original will also persist.
2. Third party disk wipe products do not effectively "zero" unused disk
space under Windows 2000.
Additional information and advice on how to mitigate these risks is provided
Plain Text Copies
When files which were previously in plain text are encrypted using EFS,
either by encrypting the file or the directory the file is in, or by moving
the file into a directory with EFS applied, a plain-text (as distinct from
cipher-text) copy of the file is made on the disk. In addition to this
plain-text fragments of the original file may also persist.
In the case of the plain text copy this occurs because Windows 2000 takes a
temporary backup copy of the file prior to encryption to ensure that it can
recover the file should a system error occur whilst the file is being
encrypted. In terms of the file fragments this is simply a reflection of the
standard operation of most operating systems where "deleted" files are not
actually overwritten, but simply de-allocated.
Depending on the usage of the system this presents the possibility that the
plain text copy and plain text fragments of the original file could persist
on the system's disk until such time as the system has a need for the space
and overwrites the data contained there.
Access to the plain text copy or fragments could be achieved by anyone who
is able to obtain physical access to the disk, and can mount the disk into
another system. Access to the plain text copy could also be achieved by an
"Administrator" who is able to load a device driver to speak directly to the
When EFS is used in the recommended manner, that is files are only created
inside folders with EFS enabled the problem of plain-text copies and
fragments does not occur.
Organisations that are using EFS to help mitigate the risk of physical
security of systems should be aware of this issue and act in accordance with
the recommended mode of operation, and our advice below.
Disk Wipe Products Fail To Wipe Disk
The issue described above is compounded by the fact that most third party
disk wipe products do not wipe the disks of Windows 2000 systems.
This effectively means that users are unable to clear plain text copies of
files they thought were encrypted, as well other material they thought they
had deleted, by using disk wipe products.
Organisations that are making use of disk wipe products to manage risks
related to "deleted" data under Windows 2000 should be aware of this issue
and act in accordance with our advice below, and that provided by Microsoft.
Advice on Mitigating Risk
Colman Communications Consulting has worked with Microsoft to have these
issues addressed. This work has resulted in a commitment from Microsoft to
place emphasis the behaviour of EFS and writing a tool which can be used to
wipe unused disk space on Windows 2000 systems.
If you are using EFS then you should ensure that:
- Your users are educated on the correct manner of operating EFS so as to
prevent the proliferation of plain text copies.
- You install and run the cipher.exe tool on your systems to ensure that any
plain text copies and other sensitive "deleted" information is zeroed.
The new version of cipher.exe along with install instructions was orginally
At the time of posting this page is temporarily unavailable due to a revamp
of the Microsoft Technet Area. However, the related Microsoft Knowledge
Base Article can be found at:
This advisory with additional advice for Australian Commonwealth Government
Agencies can be found at:
Additional notes from Colman Communications Consulting on using EFS can be
Colman Communications Consulting is based in Canberra, Australia, and
specialises in IT Security for Industry and Government.
- Issues with Windows 2000 Encrypting File System and Disk Wipe Software Security Advice (Jun 26)