Re: encryption question

From: Marin Marinov (mlmarinov_at_askme.ca)
Date: 06/11/04 

Date: Fri, 11 Jun 2004 10:31:24 -0400

<snip>
If you implement proper layered security protection - firewall, resource
permissions, minimum user privileges, hardening the OS, etc., you
shouldn't have to worry about attackers. If an attacker has gained
access to the server files bypassing all of the above he/she can already
do enough damage. Like change system files to do whatever the attacker
would want (e.g., "sniff" network traffic and intercept incomming files
which are still in plaintext if IPSec or WebDAV is not utilized). Just
to give you an idea of how your administration will be affected, take a
look at:

Best practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

You'll definitely need to educate your users on what EFS is and how they
should and *should not* use it. You'll need to establish procedures for
maintaining EFS, educate the administrators on how to manage and
maintain certificate services and EFS, recover files, and so on. So
there is pretty homework to do before you let users right-click here and
there and encrypt files. I would be more concerned about mobile users
whose laptops may get stollen since this is a much more likely scenario
than the servers locked in the server room and protected at various
layers against attacks. So they are a target group for EFS. Otherwise
there is plenty you can do to protect your internal resources before you
resort to EFS, there is no point in complicating things artificially
unless the need is really obvious. No one technology is a panacea, but a
combination of many increases the overall security.

Well, I hope this gave you some food for thought and probably made your
decision easier ;) 

-- 
Cheers,
   Marin Marinov
   MCT, MCSE 2003/2000/NT4.0,
   MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no 
rights.
"True knowledge exists in knowing that you know nothing."
Socrates

Relevant Pages

  • Re: Encryption of messages between embedded system and PC?
    ... an attacker with unlimited physical access to several copies of the product, & free to destroy them in searching. ... My experience tells me that the desire to include the incredible amount of the enciphering protection into a system is usually either the result of paranoia, ignorance or the overvalued self esteem. ... Perhaps this will be of benefit to some of your customers. ... time/money to reverse engineer it). ...
    (comp.arch.embedded)
  • Re: thoughts on kernel security issues
    ... I'm not talking about bugs, I'm talking about mitigation of unknown bugs. ... You have to remember that I think mostly in terms of proactive security. ... down what exploits an attacker can actually use. ... If you can circumvent protection A by simply using attack B* to disable ...
    (Linux-Kernel)
  • Re: [Full-disclosure] New member asking question...
    ... a Hackers Tool and Techniques class at school, ... I'm one of the perpetrators for the various CIS Unix/Linux guides, ... Pick a piece of code or resource that an attacker could potentially attack ...
    (Full-Disclosure)
  • Re: Top General "Under the Gun"
    ... don't think they should be afforded privileges in the name of rights. ... A gay guy gets beat up in an alley, ... attacker would face if his victim just happened to be straight. ... How do you see it as additional protection or disincentive if his ...
    (rec.sport.football.college)
  • Re: Firekeeper - IDS for Firefox available
    ... Isn't it the case with every software created to add some protection ... all the attacker typically gets without ... more work is the ablility to sniff, not the ablility to look at ... the ability to read decrypted https streams. ...
    (Bugtraq)