I've just spent some time working with the local county attorney setting up Windows 2000.  One of the windows selling points was the included encryped file system on ntfs partions/volumes.

For anyone using EFS and expecting some type of security, don't.  Go get yourself some third party tools.  Without even putting forth any effort, I was able to generate at least half a dozen ways to bypass the encryption.

Needless to say, the local CA is now going to have to redesign part of their security structure and how they store files.  

I'd like to send out a big thank you to Microsoft!

I'd love to see you post how you did this?  I have been working with EFS for some time now.

Only way to do it, (if implemented properly) is to have domain or enterprise admin rights, or to log on as the security encryption admin account.

How did you "bypass" this?

Efs requires certain file systems, policies, and certificates to work.  If you think about it, I'm sure you can figure out many ways to break it.

For example, the backup utility can be used to copy a file from an ntfs partition to a fat/fat32 partition.  When you backup the file, it is automatically decrypted and copied to the new location in plain text.  Windows only requires NTFS permissions to decide who can back up and restore.  

Any user, no it doesn't have to be the domain admin, that has been grated the appropraite permissions within AD to change a GPO can edit who is the default recovery agent in a domain.  

If someone with GPO admin rights edits the GPO for EFS, they can reverse any encryption already in place and prevent any future files from being encrypted.

Then there is the fact that efs requires a certificate to decrypt the ddf/drf.  If you have an enterprise CA, you could be granting recovery agent certificates without knowing it.

There were a few more, but off the top of my head, I can't remember them.

Oh yeah, don't forget about a stand-alone workstaiton running 2000 professional and using efs.  There is no way to prevent someone from trying to make the workstation join a domain.  When it joins a domain, it now uses the domain EFS policies and recovery agents.

Basically, Microsoft requires that you COMPLETELY understand NTFS permsissions, Group Policies, and Certificates, as well as physical security of certain PC's.  All of the above must be strictly adheared to for efs to work with any degree of reliablity.  However, I have yet to see any business that has been 100% on all aspects of security.  It simply makes administration too difficult for most enterprises.

Thanks for the info, Joe Blacke.

For anyone interested in protecting the privacy of your data, there are plenty of strong third party tools out there.

If you are interested in a very simple and painless utility to encrypt and decrypt your [b]own files[/b], check out Cryptext at:
[url]www.pcug.org.au/~njpayne[/url]

If you want to encrypt information that you need to share with other people, PGP (Pretty Good Privacy) is a good choice and is available at:
[url]www.pgpi.org[/url]