Five Disturbing Myths about the Microsoft Encrypting File System

In July 2006, I was giving a course on Windows 2003 Security when I came across some disturbing misconceptions about Microsoft EFS security.

To give you some background, one of the features that came out with Microsoft Windows 2000 and 2003 was the Encrypting File System also known as EFS.

This was added due to the fact that the Microsoft file system - NTFS only has some security when the operating system is running.

In other words, you can bypass NTFS security if you have another operating system. Eg NTFS security no longer applies if you boot from Linux or Windows 9x.

Tools such as ER Commander and NTFSDOS from www.sysinternals.com (now part of Microsoft) will help Windows 9x to circumvent NTFS security.

You can find out how EFS works by going here.

1. You Recover EFS Encrypted Files By Changing The User Password

There are a number of easy methods to obtain the administrator account on a local system such as a laptop.

The easiest being a Linux password changer boot disk. Once the administrator account has been compromised, the next step is to change the user’s password and logon as that user and then gain access to the encrypted files.