EFS can be comprimised if you have Admin access to the box. There are several tools that will reset the admin password on a Windows 2000 system. Once this is done, you log in as admin and add the admin user to the Encrypted Files Recovery Agent group, and you are in.
This said, if you can lock down Admin rights to the workstation, and there is not a domain policy in place that will over-ride it, you will have a fairly strong encryption. The Sys Admin can probably still get into the files through the method mentioned above, but he will have to be at the workstation to do it. I am assuming that the original poster of this question wants to prevent un-authorized access from the LAN, and from normal usage on the workstation. Any software that he may use to lock the files can be broken by a person with enough knowledge. I hardly think that a local sys admin will have access to the brute force type that the FBI used. There is no completely secure method of protecting data short of disconnecting the system from any outside access, and keeping the workstation with you at ALL times. Rick MCSE, MCSA, CUSA, ACE -----Original Message----- From: Nero, Nick [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 26, 2002 12:59 PM To: dennis; [EMAIL PROTECTED] Subject: RE: Protect folder data. Yep, you are correct. It is RC4-40bit, I believe. Problem is, it is NOT just password protected. It uses a mini-PKI (unless you have a real PKI) and only that user's cert or the admin's can recover it. If both certs are lost, so is your data. As a side, the laptop recovered last fall by a reporter from CNN that was formally a computer used by Al-Qaeda had the hard drives encrypted with Win2k EFS. The FBI was able to brute force the 40bit keyspace in a week and discover the data! Nick Nero CISSP, MCSE, CCNA -----Original Message----- From: dennis [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 26, 2002 4:23 AM To: [EMAIL PROTECTED] Subject: Re: Protect folder data. Doesn't Win2K's encrypted file system support this? Sorry if I'm wrong, not a Windows kinda guy. ----- Original Message ----- From: "Shane Lahey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, November 22, 2002 10:29 AM Subject: RE: Protect folder data. > Why not try Blowfish Advanced CS , available at http://come.to/hahn > This should do exactally what you want. > > > -----Original Message----- > From: Tony - CIA;CISA;CDP;CPA;MBA [mailto:[EMAIL PROTECTED]] > Sent: November 18, 2002 8:00 PM > To: [EMAIL PROTECTED] > Subject: Protect folder data. > > > Hi, > > I have some highly confidential data that I frequently access on in a > folder that is on my desktop computer (ie win2k). I want to make sure > no one but > me will able to see this data. Does anyone know of any > freeware\shareware > that will 1) en-crypt the data in the folder and/or 2) require a > password > to open up the folder? I need to make sure a person like our lan admin > or > desk top support person can not figure out a way to get to the data. > > Tony CIA,CISA,CDP,MBA > > > > > _________________________________________________________________ > MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. > http://join.msn.com/?page=features/virus > > > --- > Incoming mail has been scanned for viruses and is certified Virus > Free. Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.422 / Virus Database: 237 - Release Date: 11/20/02 > > > --- > This email has been scanned for viruses and is considered Virus-Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.422 / Virus Database: 237 - Release Date: 11/20/02 > > >
