Re: File Encryption

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

EFS never protects data transmission, so during the download it would be
unencrypted. You could do IPSec to protect the channel, but then it would be
stored in the local cache, assuming you do a download and execute. You could
do run from net instead, but then there's no way to verify the signature on
the file you're running.

--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Windows Enterprise Management Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
This posting is provided AS IS with no warranties and confers no rights.

"Stevie" <stefstephens@xxxxxxxxxxx> wrote in message
news:utWXyKD%23FHA.600@xxxxxxxxxxxxxxxxxxxxxxx
> What I am trying to do is, We have roughly 1000 computers that we?d like
> to change the local admin passwords on. I have a VB script that I can
> implement that works perfectly to change the password. I do not want this
> script sent along as clear text if I can avoid it. Is there any way I can
> encrypt this script?
>
> SET objComputer = GetObject("WinNT://W2Kmachine,computer")
> SET objAccount = objComputer.GetObject("user", "Administrator")
> objAccount.SetPassword "password"
> objAccount.SetInfo
>
>
> I know I can protect the files using Windows permissions (preventing
> anyone from reading the script) or allowing only Domain Computers Read
> Only access? However. How can I protect the script. If you could capture
> the packets, you could easily find the script and its contents so
> permissions would not matter at all in that scenario.
>
> Maybe there is some other solutions for this? Any help and/or insight is
> greatly appreciated.
>
> StefStephens
>
> "Marin Marinov" <marin-online@xxxxxxxxxx> wrote in message
> news:MPG.1dfa84c6fd48116598990f@xxxxxxxxxxxxxxxxxxxxxxx
>> In article <#wBsoi39FHA.140@xxxxxxxxxxxxxxxxxxxx>, "Milan Stojanovic"
>> <username piksi@host eunet dot not com but YU> says...
>>>
>>> Sorry for interrupting, but I think that it is a great idea to have
>>> report
>>> of all workstations with some encrypted file. Do I need to modify MOF
>>> and
>>> use a script, or it can be made by default mof?
>>>
>>> thanks in advance...
>> <snip>
>> Hi Milan,
>> I would argue that it's such a good idea and this goes back to my
>> initial question - why would one need that ;) Technically speaking,
>> there are ways you could potentially do it:
>> - script that recurses through all files and folders and reports data
>> either in WMI or dumps a NOIDMIF file
>> - figuring out how to make software inventory report IsEncrypted for a
>> file. Software inventory seems to store file inventory information in
>> the FileSystemFile WMI class (http://tinyurl.com/bgvqy) under root\ccm
>> \invagt. However, the XML file that it generates and passes on to the MP
>> (http://tinyurl.com/dk8ko) doesn't seem to contain all the properties
>> available in this class.
>> - for folders only, making use of the Win32_Directory class and its
>> Encrypted property
>>
>> Bare in mind though that most of these (probably except option 2) will
>> likely result in a performance hit on the respective computers. And
>> again - finding out which machines have encrypted files is arguably
>> beneficial plus it's reactive, not proactive. As a best practice, if
>> your organization hasn't deployed a "real" PKI, deployed and maintains
>> certificates for the users for use with EFS, disable EFS on the clients.
>> If people can encrypt files whenever they chose without this being an
>> officially designed for and supported feature, this can cause you a lot
>> of headaches...pardon, "administrative overhead" ;)
>>
>> HTH
>> --
>> Cheers,
>> Marin Marinov
>> MCT,MCSE,MCSE:Security,MCP+I
>> -
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "True knowledge exists in knowing that you know nothing."
>> Socrates
>
>


.

Relevant Pages

  • Re: Im being hacked regularly
    ... Now the problem is that hackers don't only put my website regularly offline ... The site of the hacker tool had a PHP script that was used to get ... Now I protect against this kind of param by checking them and they can't ... IRC server directly from one of my scripts? ...
    (comp.lang.php)
  • Re: password-protection
    ... > password-protected a website by including a password authentication script ... The script checks the login against the ... have used to protect HTML and other downloadable files (e.g., ... PHP script (which can reach into other directories besides the ...
    (comp.lang.php)
  • Re: Protecting Source code of a perl script
    ... > administrator could crack the encryption with only a day's work. ... Running 'strings' may yield vital information ... contained in the script turned binary. ... of the script to *hide* the code is a weak way to *protect* the code. ...
    (comp.lang.perl.misc)
  • Re: Project Stick In The Mud :-)
    ... then it asks me if I want to continue to run the script. ... What I am saying is that for a long time sysadmin like me, ... Don't protect me from myself when the worst that's going to happen ... I haven't done a whole lot of exploration of Fedora 9 lately, ...
    (Fedora)
  • Re: EFS without the bells and whistles
    ... I know EFS does not have transit encryption. ... New user permission would be granted the next time the script sweep is ... I do believe this is a windows server security group. ...
    (microsoft.public.windows.server.security)