Actually, it is CRITICAL in one aspect.

If Avaya's security consultant Ken Pfeil is correct when he said:

"If the system is a member of a workgroup and not a domain, you can just change the user's password that the file was encrypted under," Pfeil said. "Then you can log on as that user having access to the encrypted file."

Then EFS is useless in the standard configuration for protecting hard drives. Specifically, hard drives on LAPTOPS, which frequently get stolen.

Most likely this is an IMPLEMENTATION issue, though, and NOT a "hole" in XP. It sounds like the certificate/key used for EFS is stored on the drive, and the password for it is tied to the Workgroup/Domain password. The certificate/key really needs to be stored on a USB key or other removable media, so it can be kept separate from the system.

Encrypting files/folders/partitions on hard drives is supposed to guard against exposure EVEN WHEN CONTROL OF THE SYSTEM IS COMPROMISED!

Case in point -- laptops. What is the point encrypting data on the drives if when stolen, the machine can be consoled and the password changed, opening all the files?

I do not know if you can move the certificate/key off to removable media. If you can, like I suspect, then it is an implementation issue and not a "hole". If not...

You are right in that it was overplayed as a major catastrophy, though. For almost all other cases, if you've lost control of the hardware, you're screwed.

-Charles Hill

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/144/18349#18349