A question from a reader:
Hi,
first of all thanks a lot for your help and sorry for my english.
I bought your book in order to get the 70-642 certification, I have just finished it and may be next week I will take the exam.
There is a thing I can´t understand about EFS, so let me explain it to you.
In Chapter 11, Lesson 1, page 517 you said :
“How to share files Portected with EFS
If you need to share EFS-protected files with other users on your local computer, you need to add their encryption certificates to the file. You do not need to follow these steps to share files across a network; EFS only affects files that are accessed on the local computer because Windows automatically decrypts files before sharing them”
From your words I understand that EFS don´t affect trough shared folders and any user who has NTFS permissions to read the file will be able to read it instead it is encrypted with EFSif this user access the file trough a network share, not in local.
Later, in the Q&A section, page 524, Question number 2. The answer is D and the answer, page 618 says
“EFS affects only user who access files locally. Therefore, because the user is connecting across the network, you don not need to make any changes.”
I still understand the same, trough network connection there is no EFS protection.
But latter, I began the Practice Test included in the CD and there is a question which answer tells exactly the opposite. I make a capture of the question.
“EFS does protect files that are accessed across the network, providing an additional layer of protection to NTFS permissions.”
Maybe I´m making a mistake but I prefered to try to ask you where is the mistake, because I always thinked that EFS does protect from users without the right certificate to read the files.
Thanks a lot for your help and for all the content of the book wich has helped me to study for this exam.
Best regards.
And my response:
Sorry for the mistake. C is the only correct answer. The explanation is wrong–as the book says, EFS does nothing to protect files from network access.
I’ll send a note to the editors to add this to the errata! Thanks for letting me know.
So, let me re-iterate it clearly. Correct me if I am wrong:
FIRST choice from the TOP: WRONG! The attacker have gained access to an expose console and can read all EFS-encrypted files.
SECOND choice from the TOP: WRONG! To install a keylogger, access to registry (SYSTEM hive) is required. EFS may not protect registry.
THIRD choice from the TOP: CORRECT! EFS-encrypted files are well protect against offline attack. Attack will get nothing but a heap of indecipherable junk!
FOURTH choice from the TOP: WRONG! “EFS only affects files that are accessed on the local computer because Windows automatically decrypts files before sharing them.”
Doh, you’re right. EFS doesn’t protect against changing system files, which was actually the point of that distractor. As the explanation points out, BitLocker does, EFS does not.
I tricked myself with that question :).
I’m updating the article to avoid future confusion. Thanks for letting me know.