Windows Encryption - All too easy workaround?

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have recently been looking into using the encryption tool in WinXP Pro for
added privacy/security. Then someone at work told me about a bootable CD
from winternals.com(?) called Super Acronis or Locksmith which allows you to
change the password for any user on that machine. A reboot later and you
can log on to that account - including Administrator with the new password.
As it is the account that your files were encrypted with, anyone who did
this would automatically be granted access to the encrypted files. They
even give you a 5 day working demo available for free!

On looking at this NG I can see recent posts 'Forgotton Logon password'
which also cover this.

If this is so easy to do, it made wonder if there is much point in using
Windows' encryption? Is the purchase of 3rd party software necessary to
ensure that files can be made secure/private?

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

If someone were to changed the account password, the encrypted files
would remain encrypted and inaccessible. Windows XP creates a randomly
generated file encryption key (FEK) and then transparently encrypts the data,
using this FEK, as it is being written to disk. The FEK, and therefore the data
it encrypts, can be decrypted only with your certificate and its associated private key,
which are only available when you log on with your correct user name and password.
Other users who attempt to use your encrypted files receive an "access denied" message.
Even other administrators who have permission to take ownership of files are unable to
open your encrypted files.

Third-party tools could gain access to your computer, but not the encrypted files.

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/EN-US/

You could also set a BIOS password that would prevent someone
from making a change to the boot order. Always set your hard drive
as the first bootable device, and not the CD Drive or floppy drive.
Therefore no one could boot into your system using a CD or floppy
disk.

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

"AberTech" wrote:

| I have recently been looking into using the encryption tool in WinXP Pro for
| added privacy/security. Then someone at work told me about a bootable CD
| from winternals.com(?) called Super Acronis or Locksmith which allows you to
| change the password for any user on that machine. A reboot later and you
| can log on to that account - including Administrator with the new password.
| As it is the account that your files were encrypted with, anyone who did
| this would automatically be granted access to the encrypted files. They
| even give you a 5 day working demo available for free!
|
| On looking at this NG I can see recent posts 'Forgotton Logon password'
| which also cover this.
|
| If this is so easy to do, it made wonder if there is much point in using
| Windows' encryption? Is the purchase of 3rd party software necessary to
| ensure that files can be made secure/private?

 

[Malke]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

AberTech wrote:

> I have recently been looking into using the encryption tool in WinXP
> Pro for
> added privacy/security. Then someone at work told me about a bootable
> CD from winternals.com(?) called Super Acronis or Locksmith which
> allows you to
> change the password for any user on that machine. A reboot later and
> you can log on to that account - including Administrator with the new
> password. As it is the account that your files were encrypted with,
> anyone who did
> this would automatically be granted access to the encrypted files.
> They even give you a 5 day working demo available for free!
>
> On looking at this NG I can see recent posts 'Forgotton Logon
> password' which also cover this.
>
> If this is so easy to do, it made wonder if there is much point in
> using
> Windows' encryption? Is the purchase of 3rd party software necessary
> to ensure that files can be made secure/private?

The encryption for files is completely different from the ability to get
the password to get into Windows. Anyone with skill and time can get
into a computer, no matter what operating system is running. Again,
this is different from data encryption. Here are links to help you
understand XP's encryption:

http://tinyurl.com/6l6xx - MS information about EFS (Encryption)
http://www3.telus.net/dandemar/encrypt.htm - encryption info
http://www.beginningtoseethelight.org/efsrecovery/ - more encryption
info
http://www3.telus.net/dandemar/private.htm - making stuff private

If you use XP's encryption, please make very sure that you understand
completely how to use it and how to back up your certificates and set a
recovery agent.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

If the Windows password is not changed via the proper channels (i.e. booting
with some type of hacking software and brut force changing the password in
SAM) then any files encrypted by that logon (aka userid) will remain
encrypted and unusable.
Also note, the first rule of "security" is eliminating the "physical"
access - almost all security is off if "physical access" cannot be
eliminated.

--
Star Fleet Admiral Q @ your service!
"Google is your Friend!"
www.google.com

***********************************************

"AberTech" <abertech@hotmail.com> wrote in message
news:39ecq6F618achU1@individual.net...
> I have recently been looking into using the encryption tool in WinXP Pro
for
> added privacy/security. Then someone at work told me about a bootable CD
> from winternals.com(?) called Super Acronis or Locksmith which allows you
to
> change the password for any user on that machine. A reboot later and you
> can log on to that account - including Administrator with the new
password.
> As it is the account that your files were encrypted with, anyone who did
> this would automatically be granted access to the encrypted files. They
> even give you a 5 day working demo available for free!
>
> On looking at this NG I can see recent posts 'Forgotton Logon password'
> which also cover this.
>
> If this is so easy to do, it made wonder if there is much point in using
> Windows' encryption? Is the purchase of 3rd party software necessary to
> ensure that files can be made secure/private?
>
>

 

[colouroflife]

after installing a new windows xp server pack 3 i am not in position to access the files and there is message access to file is denied

 

[Zoron]

You'll have to take ownership... did you encrypt the files?