I've been asked to write up a paper on how long it would take us to convert all our XP laptops (about 1,000) to EFS (Encrypted File System). I am the first to admit I know absolutely nothing about EFS. I've only just started looking into today for this write up I have to do. So far, we know that we want to say "no, we can't do it", but I don't have any proper reasoning as to why it would be a real pain to do. I've gathered that they want a server set up and that we would need to pay loads of money for public keys, etc... also that it doesn't really work for laptops properly yet. That could all be wrong, I don't know. Help! Any information or even websites pointing me in the right direction would be great. Thanks in advance.
Well, from the very little that I know about it all I can say is good luck Here's a link to a good amount of readme's MS whitepapers etc that may be of some use.
Lots of reading for me today then. Unfortunately I'd been Googling with "Encrypted File System" not "Encrypting File System" Somehow I have to write this thing up by close of play today... and I'm leaving at 16:00 to catch my train. I can see a no-luncher coming on...
I'm glad not to be you. All I have to do today is go pick one of my brothers up from the airport, and then meet up with -H- for some beerage Good luck with the write up
I helped write an EFS modules for FreeBSD, maybe some of the things I know can help, even if you are targetting windows. Let me know, you know how to get in touch with me. Cheers, David
OK, I thought I got this sorted when IT Security made their demands a bit clearer, as it seemed that from our side we wouldn't have to do anything at all to each laptop. The user can just right-click and choose encrypt/decrypt whatever. However, they've gone and stuck notes on my desk now asking the following (I haven't changed the wording, so make sense of it if you can): EFS on Laptops How much of the laptop data can be encrypted? BIOS upwards? Stop data being deleted by user? IT Support only able to delete data? What BIOS options? What EFS options? What do the above options do? Info by Friday. No please, nothing Anyone have any idea? I really don't see the point in encrypting the BIOS. All of ours are password protected, and if someone's going to steal the laptop, can't they just remove the CMOS jumper and clear it out anyway? I'm pretty sure encrypting the BIOS isn't that easy either? It doesn't help that I'm not totally sure what they're asking me? Monolith, I may be seeking you out for some help on this one!
I don't think they mean encrypting the bios itself, since it doesn't store any data that could conceivably be sensitive, it'd be madness. I suggest what they mean is encrypting the entire system drive, ie everything after the bios. However, I haven't used or examined the EFS functionality, but I'd hazard a guess that that wouldn't be possible, because of windows needing to access the hard drive before it loads properly. It may be if you partition it into two seperate NTFS partitions, and then keep documents or whatever on the one that is entirely encrypted... but I don't know if it can do that. I wouldn't recommend encrypting the entire drive in this case anyhow, it sounds like it's an unnecessary step when you could just encrypt the data folder/s. Just be aware of what information may be found through examining the applications that are running, and other user run programs that may comprimise the security of the encrypted data. Stopping the data being deleted... hmmm. Not sure how that could be enforced on windows. Without investigating further I'd recommend frequent backups being a method for this. As it sounds like rather a tall task for a windows machine. I expect it'd be possible under linux/unix/bsd though... hope that helps Alaric.
Cheers for that I can't see why they're asking all these questions really, as from what we've been told, when they roll out XP to all the laptop users they will only have access to write to the 'My Documents' folder anyway. So why on Earth they don't just leave it at that and have that encrypted I don't know. Everyone does appear to have gone mad recently, as after about 2 years of "never store anything on your local drives, it all has to be on network drives so the data is backed up" they've moved to "save everything into 'My Documents' on your local drive where there will be no back ups whatsoever and if you have a laptop and a desktop PC they will be totally out of sync... rah!" Also they've moved to having a single partition, rather than one with the OS files and another for data. All I keep hearing is "Active Directory will make everything all better" (sic)... I really should do some research as it's always been my policy never to trust the words of IT Consultants... (Please note that our Higher Grade IT staff don't really know much about computers, they just hear words and think they sound good).
Well, one assumes, your company has taken reasonable precautions to prevent their offices being burgled, and are also seeming to trust the integrity of their employees. So the data wouldn't need to be encrypted within the company, as it doesn't really have the opportunity of escaping. With a laptop/palmtop however, they're easily stolen or left places. Sensitive data of the company could easily be 'discovered'. So there is an increased need to encrypt files on laptops. madness... I'd have thought they'd have prefered the central location. There are of course disadvantages, but I thought it'd mitigate the risk of an insider attack though. Being able to work effectively on the move may, of course, be a reason for the change of policy. I'm hoping to move into security after I graduate... and I hope I don't have to deal with too many clueless high level managers... but I rather suspect I will have to Alaric.
