Succint Article on Encypting File System (EFS)

,

Encrypting File System, or EFS, first debuted in Windows 2000 and gave

users to encrypt files without a 3rd party tool. There were some

limitations in EFS under Windows 2000, among them the default Data

Recovery Agent was the local Administrator account. This meant that if

you tried to use EFS on, say, a laptop, while the files would be

encrypted if someone tried to use a Live CD

or a Linux boot disk, should the administrator account be cracked, the

files could still be accessed. Changes within Windows XP and Windows

Server 2003 did away with vulnerabilities such as this one. There are

still ways around this, since laptops usually have cached credentials which can be cracked,

but it's another step an attacker would have to take. If you aren't

familiar with EFS, check out this short article, appropriately titled:

Understanding EFS

EFS isn't "whole disk encryption," but secures files and folders. That

means that on a laptop, you are dependent on the user to place files in

the proper locations. Tightening down file permissions works when the

users aren't running with administrator privileges, but with quite a

few apps still requiring more than normal user rights, this isn't so

easy. Until Vista's BitKeeper comes on the scene, that means a 3rd

party solution is required.

On servers EFS can be used to encrypt files such that only the service account has access to them. I wrote about this with respect to SQL Server,

but the article is a little out of date, being written for Windows

2000. I'll need to update it one of these days. Be aware, that as with

any encryption, you are likely to experience some performance

degradation. After all, the encrpytion/decryption does require

additional cycles than straight data access. But the performance hit

under Windows 2000 was often less than 5% and I doubt it has gotten

worse with Windows XP and 2003.

Technorati Tags: |

|

|

|

|

|

|

|

|

|

|

|

|

|

Rate

Share

Share

Rate