Ask the Expert

Encryption feature on Windows 2000

Here's a thought... Windows 2000 encryption works 'seemlessly' with the users' existing ID and password credentials. Once authenticated, users can encrypt and decrypt data on the fly with a minimum of hassle.

A big issue, I believe, is what additional protection any encryption would give? A problem with Windows 2000 currently is that system files cannot be encrypted (apparently this will be possible with future releases...) This means that in theory at least, a machine can be hacked for user-account details with standard hacker tools (L0phtcrack/lsadump2 /NTFS DO etc.). The Windows 2000 encryption gives no added protection against this sort of attack, only to the selected files and folders within the NTFS structure.

Once a hacker has achieved this 'local' hack and compromised accounts and passwords, he simply logs on to that machine with the user's account and immediately has access to everything that user has encrypted 'on the fly.' In short, the compromised user has achieved nothing by encrypting his files other than giving himself a false sense of security!?? Any thoughts on this?


    Requires Free Membership to View

Your thoughts are quite perceptive.

I'm (as you might expect) a fan of encryption, but there are only some things you can solve with encryption. Also, most all encryption is ultimately keyed by a password or passphrase, and if you lose that -- or it's hacked out from under you -- then all bets are off. Let's face it, if they know that the password is swordfish, it doesn't matter what crypto you used. And if that encrypted disk happens to be served on the network, then you didn't gain a thing from encryption.

In spite of this, it isn't worthless. The main thing that disk encryption is good for is keeping your data reasonably safe if your machine vanishes. This isn't a huge factor with desktop systems, but it matters a lot with laptops. It's bad to have your laptop stolen, but at least if they can't get the data in it, you have some peace of mind.

There's also at least one other option for you. There are products that provide better disk encryption than the default one with W2K. The PGP products (full disclosure -- I worked on these) provide an encrypting virtual disk driver, which allows you to make a file on your base OS into a virtual disk that has fully encrypted access to it. Many people use such a volume to store sensitive things, and since it isn't integrated into the user authentication system, it's harder to break open.

Nonetheless, you hit the nail on the head here -- if encryption is integrated into the OS authentication and that authentication is easily hacked, you don't get very much protection when all is said and done.

For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Securing your Data and Information->Encryption
Web Security Tip: Encryption made simple

This was first published in May 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: