The encryption itself is extremely good if you are using at least SP2 and
awesome if you use XP SP1 which uses AES 256. The link below tells a little
bit about that.
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741
However the vulnerability is access to the private key used for EFS - not
cracking the encryption itself if using at least SP2. W2K requires a
recovery agent which on a non domain computer will be the built in local
administrator account and a lot if users did not know that. Plus in W2K the
private key can be accessed if the user key is "reset" which allowed
attackers to use a password reset disk to reset the local administrators
password and then potentialy decrypt ANY files on the disk if the RA private
key was still present by then logging on as the administrator. The use of an
"offline" syskey password/disk can greatly reduce that threat.
Windows XP/2003 greatly increased EFS security with stronger encryption and
better protection of the private key. No longer can a password be "reset" to
allow access to a users EFS files and no recovery agent is required.
However as long as the EFS private keys exist on a computer, there is
possibility to access EFS files even if the attack is just password
guessing. The risk is much greater if the attacker has physical access to
the computer which makes laptops very vulnerable. The steps below can help
protect your EFS files and what you do depends on how bad you want to secure
your data.
-- Use complex passwords as is best practice anyhow.
-- Encrypt only folders - never the files themselves and save the files to
the EFS encrypted folder.
-- Use syskey offline protection which would require the use of a floppy or
password to access the operating system which will greatly mitigate attacks
to the local administrator account and therefore possibilty of installing
password cracking software.
-- Disable storing of weak lm hash for passwords which will require change
of password to implement.
-- If EFS is used on domain computer and users should NOT have access to EFS
files over the network make sure the computer is not trusted for delegation.
-- Export/delete the private keys for user and recovery agent if one is
used. This is the single best thing to do to protect your EFS files but is
inconvenient, though may be necessary for laptops. Physically secured
computers do not have the urgent need to do such.
-- To truely clean up things you would need to scrub hard drive of any clear
text remnanats of deleted files. Cipher /w is built in and free but a third
party program that also scrubs the page file and memory before shutdown
would be better. Again, this would be most important on computer that can
not be physiaclly secured.
-- W2K is a four year old operating system. If EFS is going to be used and
you want the best protection then use XP SP1 and Windows 2003 for EFS on
servers.
The links below may be helpful and be sure to have a recovery plan that
includes backup of EFS private keys so as not to lose YOUR access to your
EFS files. --- Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316