Home > Uncategorized > Windows Security: Part 5

Windows Security: Part 5

With all the data security breaches that have occurred over the last half decade and also with the advent of data protection requirements such as the PCI-DSS standard, even the most security-resistant organizations have been forced to assess and at least to some degree deal with data extrusion-related risks. Accordingly, vendors of security products as well as some operating system vendors, Microsoft included, have incorporated data extrusion prevention controls into their products. Starting with Windows 2000, Microsoft has provided the Encrypting File System (EFS) in its operating systems. EFS, which works only with the NTFS-5 file system, encrypts files and directories in a manner that is transparent to users.

In EFS both secret and public key encryption are used. Secret encryption is used to encrypt and decrypt files using a file encrypting key (FEK). In Windows 2000 and Windows XP the Extended Data Encryption Algorithm (DES-X) with a 128-bit key length is used for data encryption. In Vista, Windows Server 2003/8 and Windows 7 the much stronger Advanced Encryption Algorithm (AES) with a 128-bit key length is used. If destroyed or corrupted, the FEK is recoverable through public key encryption. One of the public key pair is used to encrypt the FEK; the other is used to decrypt the FEK if key recovery becomes necessary.

The owner of a file or folder can enable EFS encryption on a per-user, per file or per-folder basis.  This encryption can be enabled using either the Windows Graphical User Interface (GUI) or via the Windows command prompt. Only the user can by default view his/her own EFS-encrypted files and folders. Encrypted files copied to other volumes on the same machine remain encrypted if the other volumes are running NTFS-5 (even if the destination folder is not set to run EFS). Encrypted files copied to another computer remain encrypted only if that computer runs NTFS-5, has an EFS-encrypted destination folder, and is trusted for delegation. Backed up encrypted files are encrypted when they are stored and restored, even if they are backed up to a File Allocation Table (FAT) partition.

Vista and Windows Server 2008 EFS has added new security, performance and manageability-related functionality that includes storing user and recovery keys on Smart Cards, encrypting the Windows page file (where passwords, encryption keys, and other objects that if obtained by perpetrators could be used to defeat system and information security), and encrypting the off-line files cache. Additionally, in Vista new Group Policy options intended to enable system and security administrators to choose and implement organizational policies for EFS have been added.

Key management and key escrow are extremely important functions in a cryptosystem. EFS’s rendition of these functions is reasonably good. Data Recovery Agents are able to retrieve and apply escrowed EFS keys if all else fails. Domain Administrators are the default Recovery Agents for domains, and Local Administrators are the default Recovery Agents for local machines (e.g., workstations). Domain Administrators can add or remove Data Recovery Agents at will and can select recovery policies of their choice in special GPOs.

Microsoft is not the first operating system vendor to offer data encryption, but EFS is in many ways better than the competition in that it is so user friendly. Still, EFS has some significant downsides, one of the most notable of which is that if both the original and escrowed copies of FEKs are on the same hard drive and the hard drive crashes, encrypted data are lost unless backups on other media are available. Additionally, I know of users who have enabled EFS encryption for their files without any Domain or Local Administrator’s awareness. Then the user’s FEK has become corrupted or deleted. In earlier versions of EFS, this resulted in loss of files due to inability to decrypt them. (In more current versions of Windows operating systems, the key escrow function enables Administrators to recover keys, even if they are not initially aware that a user has enabled EFS file encryption.) Furthermore, anyone who can gain unauthorized access to a user’s account can gain access to any user’s EFS-encrypted files. Finally, EFS encryption is not whole drive encryption. As such, someone with physical access to a hard drive can potentially access and then decrypt files. Given the number and severity of data security breaches that have occurred as the result of loss or theft of laptops over the last decade, this is a serious limitation. Windows’ BitLocker encryption in Vista and Windows Server 2008 solves this problem by providing whole disk encryption. We’ll take a look at BitLocker encryption in my next blog entry.


To  have someone other than the owner to read an EFS-encrypted file:

  • Right click on file to Properties -> Advanced -> Advanced Attributes -> Details -> Add -> Select User
  • The Encryption Details dialog box pops up—click on Add
  • The Select User dialog box pops up
  • Select appropriate EFS certificate from the Other People and Trusted People certificate stores or click Find User to find the desired user
  • To locate user certificates that are stored in Active Directory, the user can click the Find User button to locate a particular user
  • When done, click OK

A Philadelphia developer has rooted out an unfinished feature of Windows 7 that turns any laptop into a wireless access point, allowing other Wi-Fi-enabled devices to share the connection without special software.

Nomadio, which specializes in military network consulting and development, used the new “Virtual Wi-Fi” feature in Windows 7 to create Connectify, a free application that it released as a beta last Friday.

Virtual Wi-Fi was crafted in Microsoft’s research group as a way to “virtualize” one wireless card as several separate adapters. The project was discontinued in 2006, but the work made its way into Windows 7 as “Native 802.11 Virtual Wireless Fidelity (Virtual Wi-Fi) object identifiers (OIDs)” .

“A year ago, Microsoft talked a lot about this as a big feature in Windows 7,” said Alex Gizis, the CEO of Nomadio. “But driver support didn’t get finished. The low-level code is in there, but the driver-level stuff isn’t. And there’s no app or setting in Windows to turn it on.”

Explaining that the feature was “half there” in Windows 7, Gizis said his company realized “we have the rest of the software here, in our networking work.”
The resulting Connectify differs from the Internet connection sharing that Windows already supports via an “ad hoc” network connection, which lets several Windows computers share a single connection. “For one thing, it shows up as a real wireless access point,” Gizis said. “Two, Internet connection sharing has issues. It returns to the default settings every time you shut down a connection. And three, you can join another wireless network and still run the Connectify Hotspot on the same Wi-Fi card.”

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.