EFS and System Cryptography Group Policy - Windows XP SP2

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I am trying to secure a standalone laptop computer that contains sensitive
data. Some information in the Resourse Kit and Knowledge Base has me
confused.

In Chapter 17 of the Windows XP resourse kit it states quote

"You can strengthen security by replacing the default DESX algorithm with
3DES. In a stand-alone environment, enabling 3DES is recommended."

In a knowledge base article quote

"Encrypting File System (EFS) is also affected by this setting. By default,
Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit
key length. If the Windows high encryption pack is installed, the key length
for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows
XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS
uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key
length. However, if you enable the System cryptography: Use FIPS compliant
algorithms for encryption, hashing, and signing setting on these computers,
the operating system will use 3DES with a 128-bit key length instead."

So am I reducing the level of security by enabling the group policy on an XP
SP2 computer or increasing it?


(http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_awzg.asp)

http://support.microsoft.com/kb/811833
5 answers Last reply
More about system cryptography group policy windows
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Brent wrote:

    > I am trying to secure a standalone laptop computer that contains sensitive
    > data. Some information in the Resourse Kit and Knowledge Base has me
    > confused.
    >
    > (snip)
    Hi

    Not exactly a direct answer to your question, but anyway:

    If the data is sensitive, you should absolutely encrypt the data, but I
    would not have used Microsoft's builtin EFS, EFS is usually a disaster
    just waiting to happen. Some calls EFS the "delayed Recycle Bin" ;-)

    Some 3rd party alternatives to EFS if you really want to secure the
    laptop:

    SafeGuard Easy or SafeGuard PrivateDisk
    http://www.utimaco.com/indexmain.html

    (we are using their "SafeGuard Easy" product to encrypt all of the
    local hard disk on all laptops, and we are very satisfied with the
    product).

    The BestCrypt product found at http://www.jetico.com/ also looks
    interesting.

    Just be sure to export any encryption keys and safe them on a safe
    place (outside the computer).


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    AES is more secure; so you would be reducing security by enabling 3DES. Be
    sure to back up your EFS certificate/key on the XPSP2 with "cipher /x" to a
    floppy and store it in a secure place. If your OS is re-installed or
    corrupted but your data is intact, you can still access your encrypted files
    with this .pfx file. Just run the .pfx file to import the certificate/key to
    your Personal certificates store.

    Thanks.
    Pat

    "Brent" wrote:

    > I am trying to secure a standalone laptop computer that contains sensitive
    > data. Some information in the Resourse Kit and Knowledge Base has me
    > confused.
    >
    > In Chapter 17 of the Windows XP resourse kit it states quote
    >
    > "You can strengthen security by replacing the default DESX algorithm with
    > 3DES. In a stand-alone environment, enabling 3DES is recommended."
    >
    > In a knowledge base article quote
    >
    > "Encrypting File System (EFS) is also affected by this setting. By default,
    > Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit
    > key length. If the Windows high encryption pack is installed, the key length
    > for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows
    > XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS
    > uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key
    > length. However, if you enable the System cryptography: Use FIPS compliant
    > algorithms for encryption, hashing, and signing setting on these computers,
    > the operating system will use 3DES with a 128-bit key length instead."
    >
    > So am I reducing the level of security by enabling the group policy on an XP
    > SP2 computer or increasing it?
    >
    >
    >
    > (http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_awzg.asp)
    >
    > http://support.microsoft.com/kb/811833
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> ha scritto nel messaggio
    news:44D36AB6-B141-4C3D-BA68-8FD1DBE58245@microsoft.com...
    > AES is more secure; so you would be reducing security by enabling 3DES.
    >
    >>
    >> In Chapter 17 of the Windows XP resourse kit it states quote
    >>
    >> "You can strengthen security by replacing the default DESX algorithm with
    >> 3DES. In a stand-alone environment, enabling 3DES is recommended."
    >>

    Forgive me for being dull...but there's one thing I haven't yet understood:
    Assuming a default installation of windows xp sp2, what type of criptography
    is installed by default? 3DES or AES?

    Thanks,
    Stefano
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    WXP RTM uses DESX and WXP with SP1-up uses AES. The FIPS group policy option
    was useful for increasing the encryption algorithm strength (to 3DES) for WXP
    RTM; but the default AES in the WXP service packs is more secure. (WS2003
    RTM shipped with AES.)

    If a file was encrypted using DESX (before adding a service pack), EFS will
    continue using DESX on that file (unless it is decrypted and re-encrypted).
    All new files will be encrypted with AES.

    Thanks.
    Pat

    "Stefano Ferrante" wrote:

    >
    > "Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> ha scritto nel messaggio
    > news:44D36AB6-B141-4C3D-BA68-8FD1DBE58245@microsoft.com...
    > > AES is more secure; so you would be reducing security by enabling 3DES.
    > >
    > >>
    > >> In Chapter 17 of the Windows XP resourse kit it states quote
    > >>
    > >> "You can strengthen security by replacing the default DESX algorithm with
    > >> 3DES. In a stand-alone environment, enabling 3DES is recommended."
    > >>
    >
    > Forgive me for being dull...but there's one thing I haven't yet understood:
    > Assuming a default installation of windows xp sp2, what type of criptography
    > is installed by default? 3DES or AES?
    >
    > Thanks,
    > Stefano
    >
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I'm not doubting that the product works, but the Ultimaco web site is scary.
    In 60 seconds of looking at it, I found two pages that don't display anything
    using Mozilla (They display in Internet Explorer.), and one dead link.

    Do you have any experience with PGP Disk?

    I came to the same conclusion that you mentioned. EFS is not a sensible
    choice, apparently. It ties your data to a Windows 2003 domain controller, or
    to a single standalone computer, the computer on which the data was encrypted.

    ____________________________


    Torgeir Bakken (MVP) wrote:
    > Brent wrote:
    >
    >> I am trying to secure a standalone laptop computer that contains
    >> sensitive data. Some information in the Resourse Kit and Knowledge
    >> Base has me confused.
    >> (snip)
    >
    > Hi
    >
    > Not exactly a direct answer to your question, but anyway:
    >
    > If the data is sensitive, you should absolutely encrypt the data, but I
    > would not have used Microsoft's builtin EFS, EFS is usually a disaster
    > just waiting to happen. Some calls EFS the "delayed Recycle Bin" ;-)
    >
    > Some 3rd party alternatives to EFS if you really want to secure the
    > laptop:
    >
    > SafeGuard Easy or SafeGuard PrivateDisk
    > http://www.utimaco.com/indexmain.html
    >
    > (we are using their "SafeGuard Easy" product to encrypt all of the
    > local hard disk on all laptops, and we are very satisfied with the
    > product).
    >
    > The BestCrypt product found at http://www.jetico.com/ also looks
    > interesting.
    >
    > Just be sure to export any encryption keys and safe them on a safe
    > place (outside the computer).
    >
    >
    >
Ask a new question

Read More

Security Windows XP