Re: FDE Digest, Vol 9, Issue 13 BIOS with smart-card certificate authentication prior to entering the boot sequence and a further authentication method for the FDE is hard to circumvent without knowledge currently restricted to large and very well financed attackers - although that is also sure to change.
............... On the other hand, if the data is not very valuable, EFS may be enough as a deterrent to casual intruders and snoopers, as well as ensuring that if the machine is stolen solely for its value as hardware, the thief will almost certainly wipe the system and start over rather than snooping around. Relying on EFS for protection of data of value is on the other hand in my opinion unlikely to be sufficient. As far as I know, the biggest weakness of EFS is that any domain Admin has or can get the default decryption key of any machine which is part of the domain. If it is a standalone machine, an intruder with physical access and a "password recovery tool" can get past the efs - there are some mitigating measures you could use: lock down BIOS, disable the boot from removable media or network etc..., with support (cost) implications, not to mention the risk of losing efs-encrypted if anyone except the user resets or changes changes the password of the account without having a previous export of the private key - which is apparently stored in the user profile, which file can become corrupted: ( http://www.pctoday.com/Editorial/article.asp?article=articles/2004/t0203/12t03/12t03.asp&guid=) . Other issues exist e.g. RAS-connected users changing their passwords can result in their files becoming unavailable unless you hack the registry: http://www.quepublishing.com/articles/article.asp?p=174495&seqNum=4&rl=1 On the other hand EFS cipher/w is a good way to clear whitespace - three cycles of it should also be enough for almost everyone. A J Caruana e.g. http://www.petri.co.il/forgot_administrator_password.htm#20 and other items on that page
_______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
