Thoughts on encryption for laptops with EFS
Hi guys,
I am hoping for some feedback. We have about 10 mobile users who are going to be visiting client sites and collect very personal information (think SSNs, etc). Looking at possible protection for their laptops regarding encryption. Laptops are a mix of Business
Vista / Windows 7 Professional.
My first thought for this type of project was to use full disk encryption, using either BitLocker (would have to upgrade to 7 Enterprise of course) or some third party tool like McAfee Endpoint Encryption (aka Safeboot). Reasons being I know these solutions
can also be applied to USB thumb drives and other removable media and they can be enforced so the end user doesn't need to make sure to follow any other special steps.
My colleague suggested just using EFS to encrypt the user's profile. Simple and no additional costs right? What do you guys think?
Things that immediately jump out at me:
1) Make sure to backup the private keys. This would have to be done for any solution because these laptops are not domain joined since they do not connect to the corporate network most of the time. So this isn't too big of a drawback.
2) Protection is only as good as strength of password. We are using strong passwords though so this is mitigated some what I would think right?
3) Can't enforce this easily on USB thumb drives. Have to make sure the drive is NTFS formatted and the user is trained to mark their files or folders as encrypted.
What do you guys think? Is this a good approach or not? I'd be interested to hear your opinions.
Thanks!
January 28th, 2011 8:58pm
If you will use EFS, you have two choices:
1- Use EFS with certificates (you will need a PKI: Public Key Infrastructure)
2- Use EFS without using a PKI: encryption keys will be stored locally on your client computers
The first method is the most secure one. So, if you will use EFS, it is recommanded to use it.
For the second method, I recommand to you to use SYSPREP Microsoft utility to protect your computer against Live CD attacks (If an attacker is able to access your computer using the account you used for encryption, he will be able to decrypt the files).
A recommandation is to encrypt folders and not files. In fact, if you encrypt a file using EFS, temporary files will not encrypted so an attacker can get many informations from them. So, if you put your files in a folder and you encrypt it, even temporary
files will be encrypted. It is for that it is recommanded to encrypt folders and not files using EFS.
To use EFS you should use NTFS partitions.
EFS is enough and efficient to protect your important files.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2011 9:17pm
Hi,
The information in the following KB articles could be helpful for your work:
Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316
911805 You cannot load or unload a roaming user profile if it contains EFS files on a Windows XP-based or a Windows Server 2003-based client
http://support.microsoft.com/default.aspx?scid=kb;EN-US;911805This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
February 2nd, 2011 2:20am