Encrypting File System, or EFS, first debuted in Windows 2000 and gave
users to encrypt files without a 3rd party tool. There were some
limitations in EFS under Windows 2000, among them the default Data
Recovery Agent was the local Administrator account. This meant that if
you tried to use EFS on, say, a laptop, while the files would be
encrypted if someone tried to use a Live CD
or a Linux boot disk, should the administrator account be cracked, the
files could still be accessed. Changes within Windows XP and Windows
Server 2003 did away with vulnerabilities such as this one. There are
still ways around this, since laptops usually have cached credentials which can be cracked,
but it's another step an attacker would have to take. If you aren't
familiar with EFS, check out this short article, appropriately titled:
EFS isn't "whole disk encryption," but secures files and folders. That
means that on a laptop, you are dependent on the user to place files in
the proper locations. Tightening down file permissions works when the
users aren't running with administrator privileges, but with quite a
few apps still requiring more than normal user rights, this isn't so
easy. Until Vista's BitKeeper comes on the scene, that means a 3rd
party solution is required.
On servers EFS can be used to encrypt files such that only the service account has access to them. I wrote about this with respect to SQL Server,
but the article is a little out of date, being written for Windows
2000. I'll need to update it one of these days. Be aware, that as with
any encryption, you are likely to experience some performance
degradation. After all, the encrpytion/decryption does require
additional cycles than straight data access. But the performance hit
under Windows 2000 was often less than 5% and I doubt it has gotten
worse with Windows XP and 2003.
Technorati Tags: Security |
DATABASE |
SQL |
T-SQL |
