Windows Encryption - All too easy workaround?

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have recently been looking into using the encryption tool in WinXP Pro for
added privacy/security. Then someone at work told me about a bootable CD
from winternals.com(?) called Super Acronis or Locksmith which allows you to
change the password for any user on that machine. A reboot later and you
can log on to that account - including Administrator with the new password.
As it is the account that your files were encrypted with, anyone who did
this would automatically be granted access to the encrypted files. They
even give you a 5 day working demo available for free!

On looking at this NG I can see recent posts 'Forgotton Logon password'
which also cover this.

If this is so easy to do, it made wonder if there is much point in using
Windows' encryption? Is the purchase of 3rd party software necessary to
ensure that files can be made secure/private?
5 answers Last reply
More about windows encryption easy workaround
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    If someone were to changed the account password, the encrypted files
    would remain encrypted and inaccessible. Windows XP creates a randomly
    generated file encryption key (FEK) and then transparently encrypts the data,
    using this FEK, as it is being written to disk. The FEK, and therefore the data
    it encrypts, can be decrypted only with your certificate and its associated private key,
    which are only available when you log on with your correct user name and password.
    Other users who attempt to use your encrypted files receive an "access denied" message.
    Even other administrators who have permission to take ownership of files are unable to
    open your encrypted files.

    Third-party tools could gain access to your computer, but not the encrypted files.

    Best practices for the Encrypting File System
    http://support.microsoft.com/kb/223316/EN-US/

    You could also set a BIOS password that would prevent someone
    from making a change to the boot order. Always set your hard drive
    as the first bootable device, and not the CD Drive or floppy drive.
    Therefore no one could boot into your system using a CD or floppy
    disk.

    --
    Carey Frisch
    Microsoft MVP
    Windows XP - Shell/User
    Microsoft Newsgroups

    Be Smart! Protect Your PC!
    http://www.microsoft.com/athome/security/protect/default.mspx

    ------------------------------------------------------------------------------

    "AberTech" wrote:

    | I have recently been looking into using the encryption tool in WinXP Pro for
    | added privacy/security. Then someone at work told me about a bootable CD
    | from winternals.com(?) called Super Acronis or Locksmith which allows you to
    | change the password for any user on that machine. A reboot later and you
    | can log on to that account - including Administrator with the new password.
    | As it is the account that your files were encrypted with, anyone who did
    | this would automatically be granted access to the encrypted files. They
    | even give you a 5 day working demo available for free!
    |
    | On looking at this NG I can see recent posts 'Forgotton Logon password'
    | which also cover this.
    |
    | If this is so easy to do, it made wonder if there is much point in using
    | Windows' encryption? Is the purchase of 3rd party software necessary to
    | ensure that files can be made secure/private?
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    AberTech wrote:

    > I have recently been looking into using the encryption tool in WinXP
    > Pro for
    > added privacy/security. Then someone at work told me about a bootable
    > CD from winternals.com(?) called Super Acronis or Locksmith which
    > allows you to
    > change the password for any user on that machine. A reboot later and
    > you can log on to that account - including Administrator with the new
    > password. As it is the account that your files were encrypted with,
    > anyone who did
    > this would automatically be granted access to the encrypted files.
    > They even give you a 5 day working demo available for free!
    >
    > On looking at this NG I can see recent posts 'Forgotton Logon
    > password' which also cover this.
    >
    > If this is so easy to do, it made wonder if there is much point in
    > using
    > Windows' encryption? Is the purchase of 3rd party software necessary
    > to ensure that files can be made secure/private?

    The encryption for files is completely different from the ability to get
    the password to get into Windows. Anyone with skill and time can get
    into a computer, no matter what operating system is running. Again,
    this is different from data encryption. Here are links to help you
    understand XP's encryption:

    http://tinyurl.com/6l6xx - MS information about EFS (Encryption)
    http://www3.telus.net/dandemar/encrypt.htm - encryption info
    http://www.beginningtoseethelight.org/efsrecovery/ - more encryption
    info
    http://www3.telus.net/dandemar/private.htm - making stuff private

    If you use XP's encryption, please make very sure that you understand
    completely how to use it and how to back up your certificates and set a
    recovery agent.

    Malke
    --
    MS MVP - Windows Shell/User
    www.elephantboycomputers.com
    In Memoriam - MVP Alex Nichol
    The world is diminished without him.
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    If the Windows password is not changed via the proper channels (i.e. booting
    with some type of hacking software and brut force changing the password in
    SAM) then any files encrypted by that logon (aka userid) will remain
    encrypted and unusable.
    Also note, the first rule of "security" is eliminating the "physical"
    access - almost all security is off if "physical access" cannot be
    eliminated.

    --
    Star Fleet Admiral Q @ your service!
    "Google is your Friend!"
    www.google.com

    ***********************************************

    "AberTech" <abertech@hotmail.com> wrote in message
    news:39ecq6F618achU1@individual.net...
    > I have recently been looking into using the encryption tool in WinXP Pro
    for
    > added privacy/security. Then someone at work told me about a bootable CD
    > from winternals.com(?) called Super Acronis or Locksmith which allows you
    to
    > change the password for any user on that machine. A reboot later and you
    > can log on to that account - including Administrator with the new
    password.
    > As it is the account that your files were encrypted with, anyone who did
    > this would automatically be granted access to the encrypted files. They
    > even give you a 5 day working demo available for free!
    >
    > On looking at this NG I can see recent posts 'Forgotton Logon password'
    > which also cover this.
    >
    > If this is so easy to do, it made wonder if there is much point in using
    > Windows' encryption? Is the purchase of 3rd party software necessary to
    > ensure that files can be made secure/private?
    >
    >
  4. after installing a new windows xp server pack 3 i am not in position to access the files and there is message access to file is denied
  5. You'll have to take ownership... did you encrypt the files?
Ask a new question

Read More

Encryption Security Microsoft Windows XP