RE: compelling reason to do FDE in lieu of EFS?You can in Vista (biz edition or above). More info here: http://www.microsoft.com/technet/technetmag/issues/2007/03/SecurityWatch/
- Garrett G. ----- Original Message ----- From: Anderson, Jaired To: '[email protected]' Sent: Friday, June 22, 2007 10:14 AM Subject: Re: [FDE] compelling reason to do FDE in lieu of EFS? It's my understanding that you can not encrypt system files (including the page file) with EFS. - Jaired -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 22, 2007 12:06 AM To: [email protected] Subject: FDE Digest, Vol 9, Issue 13 Send FDE mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://www.xml-dev.com/mailman/listinfo/fde or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of FDE digest..." Today's Topics: 1. compelling reason to do FDE in lieu of EFS? (Garrett M. Groff) 2. Re: compelling reason to do FDE in lieu of EFS? (Patrick Cahalan) 3. Re: compelling reason to do FDE in lieu of EFS? (coderman) 4. Re: compelling reason to do FDE in lieu of EFS? (Michael Jardine) 5. Re: compelling reason to do FDE in lieu of EFS? (Scott S) ---------------------------------------------------------------------- Message: 1 Date: Thu, 21 Jun 2007 18:17:32 -0400 From: "Garrett M. Groff" <[EMAIL PROTECTED]> Subject: [FDE] compelling reason to do FDE in lieu of EFS? To: <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" For the average standalone machine that is in need of adequate security (but not military grade security), is there a compelling reason to use anything beyond EFS (encrypting file system)? Before you answer, first, let's assume that the EFS user in question understands that he needs to encrypt his %temp% folder (or, better yet, all folders under %userprofile%), in addition to the specific folders to protect that may reside elsewhere in the file system. Let's also assume that he knows to encrypt his page file(s) (and hibernation file, if applicable) as well. Isn't that pretty strong security, assuming Joe Shmoe's password is non-trivial (reasonably long w/ sufficient entropy)? Again, I realize that most users don't know to encrypt %temp% or their page file, but again, for a more savvy user, wouldn't EFS provide a pretty high level of security for data at rest? - Garrett G. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.xml-dev.com/pipermail/fde/attachments/20070621/8c9b5526/attachment-0001.html ------------------------------ Message: 2 Date: Thu, 21 Jun 2007 16:40:59 -0700 From: Patrick Cahalan <[EMAIL PROTECTED]> Subject: Re: [FDE] compelling reason to do FDE in lieu of EFS? To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Again, I realize that most users don't know to encrypt %temp% > or their page file, but again, for a more savvy user, wouldn't > EFS provide a pretty high level of security for data at rest? Don't forget exception modes, even for "savvy" users. People, for the most part, know that they should take steps to secure their data, but it's difficult to do manually. For example, would you want your enterprise to rely upon manual *backups*? Savvy sysadmins would know that they had to run the backups on the appropriate day, archive the media properly, etc. Bet you dollars to donuts that when the day comes that you need to restore something from tape, you discover that performing backups just kept drifting down the priority list... With paranoid enough users, there's plenty of solutions out there (you don't even need to use an encrypting *file system*, just pgp-encrypt the appropriate files, for example, and you can get rid of the page file entirely by just adding more RAM to a machine). The problem is, for almost all groups of users (including groups of 1), there's members of the group who aren't paranoid enough. ------------------------------ Message: 3 Date: Thu, 21 Jun 2007 18:21:07 -0700 From: coderman <[EMAIL PROTECTED]> Subject: Re: [FDE] compelling reason to do FDE in lieu of EFS? To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 6/21/07, Garrett M. Groff <[EMAIL PROTECTED]> wrote: > ... > [ encrypted %temp%, %userprofile%, hibernation store, etc ] > ... wouldn't EFS provide a pretty high level of security for data at rest? consider that while data is at rest, the encryption program for access to the EFS is modified to copy keys to unused partition space which can be scavenged later or delivered via networked malware. the big benefit of FDE over EFS is that FDE protects the integrity of the entire drive while at rest, including operating system and utilities. you need to couple this with good host security (an owned machine cannot be trusted with keys) to be effective, but it is still a significant benefit. best regards, ------------------------------ Message: 4 Date: Thu, 21 Jun 2007 20:07:59 -0700 From: "Michael Jardine" <[EMAIL PROTECTED]> Subject: Re: [FDE] compelling reason to do FDE in lieu of EFS? To: <[email protected]> Message-ID: <[EMAIL PROTECTED]@usa.secude.com> Content-Type: text/plain; charset="us-ascii" Personally, I can't think of a compelling reason not to use Full Disk Encryption. It takes the decision away from the user. Even for the tech-savvy user, why waste your time and energy putting together policies for what to encrypt, and which temp files, and don't forget to flush the cache? It is far simpler to just encrypt the entire drive and be done with it. In an enterprise environment, the choice becomes even more obvious. To me, the only question is whether to use software-based FDE, or hardware-based. Regards, Michael ________________________ Michael Jardine SECUDE IT Security - Seattle From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garrett M. Groff Sent: Thursday, June 21, 2007 3:18 PM To: [email protected] Subject: [FDE] compelling reason to do FDE in lieu of EFS? For the average standalone machine that is in need of adequate security (but not military grade security), is there a compelling reason to use anything beyond EFS (encrypting file system)? Before you answer, first, let's assume that the EFS user in question understands that he needs to encrypt his %temp% folder (or, better yet, all folders under %userprofile%), in addition to the specific folders to protect that may reside elsewhere in the file system. Let's also assume that he knows to encrypt his page file(s) (and hibernation file, if applicable) as well. Isn't that pretty strong security, assuming Joe Shmoe's password is non-trivial (reasonably long w/ sufficient entropy)? Again, I realize that most users don't know to encrypt %temp% or their page file, but again, for a more savvy user, wouldn't EFS provide a pretty high level of security for data at rest? - Garrett G. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.xml-dev.com/pipermail/fde/attachments/20070621/ba07bcd5/attachment-0001.html ------------------------------ Message: 5 Date: Thu, 21 Jun 2007 18:45:00 -0700 (PDT) From: Scott S <[EMAIL PROTECTED]> Subject: Re: [FDE] compelling reason to do FDE in lieu of EFS? To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Just to add to the comment below, there are also applications in which the default user file locations are not "my documents" but somewhere in the application directory under "program files". For example, Lotus Notes puts the user's locally replicated email in its directory and so does Palm's HotSync replications. So in addition to the typical user specific directories and temp directory, you would have to track down each application and encrypt their directories if they have sensitive data. As you can see, things can get complicated. The simple solution would be to secure the entire drive. FDE is not a solution that addresses all the issues related to data security, but when the drive is lost or stolen, it is the best thing to have. Scott On Thu, 21 Jun 2007, Patrick Cahalan wrote: >> Again, I realize that most users don't know to encrypt %temp% >> or their page file, but again, for a more savvy user, wouldn't >> EFS provide a pretty high level of security for data at rest? > > Don't forget exception modes, even for "savvy" users. People, > for the most part, know that they should take steps to secure > their data, but it's difficult to do manually. > > For example, would you want your enterprise to rely upon manual > *backups*? Savvy sysadmins would know that they had to run the > backups on the appropriate day, archive the media properly, etc. > Bet you dollars to donuts that when the day comes that you need > to restore something from tape, you discover that performing > backups just kept drifting down the priority list... > > With paranoid enough users, there's plenty of solutions out there > (you don't even need to use an encrypting *file system*, just > pgp-encrypt the appropriate files, for example, and you can get > rid of the page file entirely by just adding more RAM to a > machine). The problem is, for almost all groups of users > (including groups of 1), there's members of the group who aren't > paranoid enough. > _______________________________________________ > FDE mailing list > [email protected] > http://www.xml-dev.com/mailman/listinfo/fde > ------------------------------ _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde End of FDE Digest, Vol 9, Issue 13 ********************************** ********************************************************************** The company reserves the right to amend statements made herein in the event of a mistake. Unless expressly stated herein to the contrary, only agreements in writing signed by an authorized officer of the Company may be enforced against it. ********************************************************************** _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
