Network Security Consulting Blog

In my last blog posting I discussed the Encrypting File System (EFS) that is built into every Windows operating system since Windows 2000 and how EFS works. Although EFS is effective as a security control against data security breach-related risks, a major limitation is that it does not provide whole disk encryption, making it susceptible to certain kinds of attacks. A perpetrator who has local access to the same hard drive on which Windows resides can, for example, boot a non-Windows operating system to access EFS-encrypted files and directories or copy the entire encrypted contents of a lost or stolen PC’s hard drive to a completely different computer to view the information in clear text. Windows BitLocker encryption, which is available in Vista (see footnote below) and Windows Server 2008, addresses this limitation nicely by encrypting the entire contents of a Windows volume, thereby protecting all the data therein from a wider variety of attacks. Read more…

With all the data security breaches that have occurred over the last half decade and also with the advent of data protection requirements such as the PCI-DSS standard, even the most security-resistant organizations have been forced to assess and at least to some degree deal with data extrusion-related risks. Accordingly, vendors of security products as well as some operating system vendors, Microsoft included, have incorporated data extrusion prevention controls into their products. Starting with Windows 2000, Microsoft has provided the Encrypting File System (EFS) in its operating systems. EFS, which works only with the NTFS-5 file system, encrypts files and directories in a manner that is transparent to users. Read more…