Hey Steve, not trying to be insulting or anything. Basically it is simply acknowledgement that MS puts get out of free jail cards into the products to protect companies from being completely screwed over by stupid mistakes or purposeful damaging actions. One such item I consider as such is innate OWNER rights and ability to take ownership of objects. That reaches all over the place due to the broad implementation of that security model. As for EFS I expect that there is going to be an admin somewhere that can get to that data because they can get to the password or collect it when the user changes it or have some other mechanism that is in place to protect companies.
You should be able to trust your admins but if there is data that you can not trust to anyone but the data owners and some companies are going to have that requirement no matter how good your admins are or how much you trust them I don't have a strong feeling that MS products alone can adequately protect against all possible forms of attack. There is the caveat that I haven't done a thorough threat analysis of EFS, just casual observations and scanning a report from a company doing an internal investigation to find a very secure and manageable encryption standard (EFS was not what was chosen though it was the cheapest). If there was a machine with data in a domain I managed that was protected by EFS and I wanted that info regardless of possible consequences and given say a couple of weeks to be smooth and not attract attention I expect I could get it, at least I have very definite vectors in my head that I would go after. I admit though, I am extremely sensitive in this area due to previous work in financial companies. I guess I could turn it around and ask if you feel that in a normal deployment with normal admins would you have enough faith that say something worth a billion dollars or even 50 million dollars [1] was adequately protected behind EFS? Does Microsoft guarantee EFS to some dollar amount against loss/penetration? If so, what is the $ limit? If you personally had a secret that you had to keep and that was highly desired by others who would actively be trying to get a hold of that info is EFS enough for you? Don't feel you have to answer the questions, they are simply thought starters and probably some lawyer somewhere would say do not answer those questions. However if you are able to respond to them I would be interested to read them. joe [1] Or anything that was a big enough win to risk being fired, thrown in jail, etc. Realizing of course that that value-v-risk equation is different for everyone. It may only take 10k to get someone to do something bad (say their daughter is kidnapped and they have no other way to get the 10k needed) but the next person it would cost half a billion. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Wednesday, January 25, 2006 10:14 Am To: [email protected] Subject: Re: [ActiveDir] OT: Encrypting shared folders Interesting viewpoint Joe, Care to expand on this specific to EFS? steve ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, January 25, 2006 6:22 AM Subject: RE: [ActiveDir] OT: Encrypting shared folders > One good need for this is to block out server admins from sensitive data > on > servers. In that case, it is probably best to get away from any MS tech > for > the protecting of the data due to the get out of jail cards that are inate > in most MS seurity mechanisms whether we are aware of them or not. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, January 25, 2006 3:31 AM > To: [email protected] > Subject: RE: [ActiveDir] OT: Encrypting shared folders > > I would ask first - 'why do you think you need to encrypt files, when they > can be protected using NTFS permissions?' > > To enter the land of PGP and/or EFS may imply the need for a PKI which is > a > huge undertaking. > > > neil > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, > CPA > aka Ebitz - SBS Rocks [MVP] > Sent: 24 January 2006 17:11 > To: [email protected] > Subject: [ActiveDir] OT: Encrypting shared folders > > Since there's more big server land people, can you indulge this question? > > What do you do for encrypting files up on a share? > > On standalone devices I use EFS or PGP.com but I've yet to deploy a > "ADaware" network solution. > > Susan > > -- > Letting your vendors set your risk analysis these days? > http://www.threatcode.com > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > PLEASE READ: The information contained in this email is confidential and > intended for the named recipient(s) only. If you are not an intended > recipient of this email please notify the sender immediately and delete > your > copy from your system. You must not copy, distribute or take any further > action in reliance on it. Email is not a secure method of communication > and > Nomura International plc ('NIplc') will not, to the extent permitted by > law, > accept responsibility or liability for (a) the accuracy or completeness > of, > or (b) the presence of any virus, worm or similar malicious or disabling > code in, this message or any attachment(s) to it. If verification of this > email is sought then please request a hard copy. Unless otherwise stated > this email: (1) is not, and should not be treated or relied upon as, > investment research; (2) contains views or opinions that are solely those > of > the author and do not necessarily represent those of NIplc; (3) is > intended > for informational purposes only and is not a recommendation, solicitation > or > offer to buy or sell securities or related financial instruments. NIplc > does not provide investment services to private customers. Authorised and > regulated by the Financial Services Authority. Registered in England no. > 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, > London, EC1A 4NP. A member of the Nomura group of companies. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
