Full Disk Encryption

Apr 25, 2007 at 8:55 PM
Using the EFS Assistant, will I be able to:
1. Deploy a single executable to encrypt the complete C drive.
2. Seemlessly encrypt the drive without user interaction.
3. Recover user data in case he/she is not available.
4. Conduct forensic research on the disk without modification.
Centrally manage the encryption policy for the enterprise.
5. Maintain a single System access account for all EFS encrypted assets.
6. Install and encrypt Windows 2000 assets.
7. Install and execute EFS remotely on the enterprise.

I know thi is probably asking for a great deal, but necessary for me to know the levels of EFS.

Thks,

Johnny
Apr 27, 2007 at 1:09 AM
Johnny,

I am sure that others can add to this discussion but to briefly answer you questions:

First off, EFS Assistant is really just a wrapper for Microsofts Encrypting File System (EFS). The Microsoft Documentaion on EFS will answer many of you questions.
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Secondly, I am going to assume that you are running EFS Assistant in a Domain environment.

> 1. Deploy a single executable to encrypt the complete C drive.
No, EFS can not encypt System Files. Decrypting and EFS encrypted file is dependant on user authentication so if you were to encrypt the entire C drive you would have something of a chicken and egg problem. (you have to authenticate to decrypt any file but you need some of those file to authenticate)

> 2. Seemlessly encrypt the drive without user interaction.
You can seemlessly encrypt files and folders without user interaction.

> 3. Recover user data in case he/she is not available.
Yes, via Domain Recovery Agents (DRA).

> 4. Conduct forensic research on the disk without modification.
No, EFS encryption was not designed to do forensic research.

> Centrally manage the encryption policy for the enterprise.
Yes, this is really what EFS Assistant was designed to do.

> 5. Maintain a single System access account for all EFS encrypted assets.
Yes, A Domain Recovery Agent (DRA) can decypt any encrypted file. (again, I am assuming you are working in a domain environment)

> 6. Install and encrypt Windows 2000 assets.
Yes/No, I would not suggest this. Windows 2000 uses EFS but it uses a different encryption algorithm. Mixing Windows XP EFS and Windows 2000 EFS can lead to file corruption.

> 7. Install and execute EFS remotely on the enterprise.
Yes, this is what EFS Assistant was designed for.

- Scott
Coordinator
Apr 27, 2007 at 4:34 AM
Scott,

I couldn't have said it better myself!

Thanks,
Bill
Apr 30, 2007 at 9:05 PM

ScottB wrote:

> Centrally manage the encryption policy for the enterprise.
Yes, this is really what EFS Assistant was designed to do.


Is there a way to configure domain-based group policies for EFS Assistant? The Evaluator's Guide shows editing the Local Computer Policy, but to centrally manage EFS, domain-based polices would work better.

Ken
Coordinator
May 1, 2007 at 10:42 PM

KenN wrote:

Is there a way to configure domain-based group policies for EFS Assistant? The Evaluator's Guide shows editing the Local Computer Policy, but to centrally manage EFS, domain-based polices would work better.

Ken



Yes, and they're exactly the same settings as you'd configure according to the Local Computer Policy instructions. Why they're not additonally tagged as "Active Directory Group Policy" instructions is a mystery that will hopefully be solved soon.

All you should have to do is load the ADM or ADMX template into whatever tool/UI you use to edit all other domain-based group policies, then set those settings and let Active Directory do the rest.
Coordinator
May 5, 2007 at 2:15 AM
Edited May 5, 2007 at 2:18 AM
Just thought I'd let everyone know that we posted the entire Administrator's Guide (non-final version) in the Release Candidate 1 release. It has more information about configuring the tool using AD-based Group Policies.

Let me know if this does not answer your question!

Bill