Re: AW: File Encryption - Laptop

[Sean Earp <smearp () mac com>]

Good points Chris-

As always, you should take a layered approach to security, and not  
depend on ONE step as a be-all-end-all solution.  The purpose of  
encrypting a folder with EFS is to ensure that it can not be accessed  
by simply booting to a different device, and bypassing the Operating  
System file controls.  General "best practices" relating to the use of  
EFS are as follows:

1) The employees must use strong passwords on their accounts. (8+  
characters, combination of upper, lower, and special characters).   If  
the thief can log on to the computer as the user (who has the password  
posted to the front of his LCD), then the protection of EFS does  
NOTHING.  The computer assumes that the authorized user is sitting in  
front of the computer, and allows full access to the encrypted files.

2) Encrypt the folder where the user stores most of his or her  
documents.  Your main concern on the stolen laptop is GENERALLY  
protection of sensitive documents.  Encrypting the folder (instead of  
specific files) ensures the greatest number of (important) files are  
protected, while not requiring a lot of administrative overhead.

3) By default, only the user who encrypted the file can open it.  If  
the user forgets his password, leaves the company, or his PKI  
certificate is lost or damaged, you will generally want a way to  
retrieve the information. Using the Certificates MMC snap-in, you can  
export the certificate (used for EFS) to a floppy, and store it in a  
safe location.

4) Etc. Etc.

There is a TON of information on EFS and the process for implementing  
it available almost anywhere.  ANY book on Windows 2000 security should  
cover it in depth, and using "EFS" as a search term on  
<http://support.microsoft.com> will pull up 25 articles on the subject  
(googling for "Encrypting File System" will give you about 169,000  
results4).  Microsoft's "How it Works" article can be found at  
<http://www.microsoft.com/windows2000/techinfo/howitworks/security/ 
encrypt.asp>.  As several others have suggested, there are 3rd part  
utilites available that will also do what you are looking for (and will  
secure Windows 98 laptops as well, which EFS can not.)  Just remember,  
regardless of the solution you pick... LAYERS LAYERS LAYERS.  (good for  
cold weather, too.  And Ogres have layers...) Signing off before I get  
too far off course here...

-Sean


On Monday, September 15, 2003, at 09:43 AM, Meidinger Chris wrote:

> EFS only encrypts specific files and folders. Also the keys are local  
> on the
> hard drive (silly thing that). EFS ist not considered secure (at least  
> not
> by anyone that i know.) It is designed for transparent encryption to  
> prevent
> one user of a computer from accessing files from another. If you should
> decide to use it make sure to designate a recovery agent. Otherwise the
> files are lost should you delete or lose the profile.


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
- Precisely Define and Implement Network Security 
- Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------