Good morning list
In the past I have asked about encryption solutions to attain PCI
compliance.
There are numerous solutions our there and I have some questions about
EFS in particular.
We are trying to create a small area on our corporate fileserver to be
an encrypted location. When used with EFS this area should be
transparent to the end user since it ties into AD.
My gut feeling is telling me that EFS is the wrong solution and I fear
that it won't be in compliance with PCI's data at rest specs.
Does anyone have any experience with EFS file level encryption, PCI and
what the future outlook is?
Are you looking at a replacement product because the auditor didn't find
EFS adequate?
Thank you
Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

EFS is a very good, and more than adequate solution, with one caveat- it
is file/folder-level encryption versus drive or volume-level encryption;
and all that those differences entail.

EFS is free with Windows 2000 and above, and it is good encryption. You
don't want to lose the private or recovery keys. No matter what solution
you choose, make sure to automate backing up the recovery keys.

PCI and other commercial/public requirements don't care what the
specific solution is as long as it is a strong and reliable solution.
EFS fits that bill, and you gotta love the price.

Some folks like PGP or Truecrypt. Both are excellent solutions as well.

vendor solutions, which may cost, can also provide a good
solution, and some people feel third party mgmt tools make it easier
than free toolsbut show me any encryption product and I'll show you
advantages and disadvantages. None are perfect.

I say try out a few solutions, including EFS, talk to other users who
have been using the products for awhile, and choose one that fits in
your environment. Don't just talk to the "EFS sucks" people, who haven't
spent time implementing it and using it. That's like an EFS-zealot
dogging Truecrypt without really using it or understanding it.

Properly setup and understood, there are many good solutions, including
EFS.

Roger

*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yadayada
*email: roger_grimes (AT) infoworld (DOT) com or roger (AT) banneretcs (DOT) com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*

Message
From: listbounce (AT) securityfocus (DOT) com [mailto:listbounce (AT) securityfocus (DOT) com]
Behalf Nick Vaernhoej
Sent: Friday, February 02, 2007 12:04 PM
To: security-basics (AT) securityfocus (DOT) com
Subject: PCI, EFS and the future?

Good morning list

In the past I have asked about encryption solutions to attain PCI
compliance.

There are numerous solutions our there and I have some questions about
EFS in particular.

We are trying to create a small area on our corporate fileserver to be
an encrypted location. When used with EFS this area should be
transparent to the end user since it ties into AD.

My gut feeling is telling me that EFS is the wrong solution and I fear
that it won't be in compliance with PCI's data at rest specs.

Does anyone have any experience with EFS file level encryption, PCI and
what the future outlook is?

Are you looking at a replacement product because the auditor didn't find
EFS adequate?

Thank you

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

My gut feeling is telling me that EFS is the wrong solution and I fear
that it won't be in compliance with PCI's data at rest specs.

May I ask why you feel that EFS is the wrong solution? the face, it
seems to satisfy all the PCI data storage encryption requirements

I will tell you more why EFS might not be a good idea, but I want to
hear your opinion first.

Here is some white-papers (disclaimer: they are self-serving, but
still good) that cover data storage requirements for PCI.

Also check out http://www.decru.com/

saqib

Nick,

Correct me if I am wrongbut I thought I remember reading that the DSS
specifically stated that keys could not be tied to user accounts, which they
are in EFS. , was that only for certain pieces of data?

Respectfully,

Dave Kleiman -

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Nick Vaernhoej
Sent: Friday, February 02, 2007 12:04
To: security-basics (AT) securityfocus (DOT) com
Subject: PCI, EFS and the future?

Good morning list

In the past I have asked about encryption solutions to
attain PCI compliance.

There are numerous solutions our there and I have some
questions about EFS in particular.

We are trying to create a small area on our corporate
fileserver to be an encrypted location. When used with EFS
this area should be transparent to the end user since it
ties into AD.

My gut feeling is telling me that EFS is the wrong
solution and I fear that it won't be in compliance with
PCI's data at rest specs.

Does anyone have any experience with EFS file level
encryption, PCI and what the future outlook is?

Are you looking at a replacement product because the
auditor didn't find EFS adequate?

Thank you

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

Dave

I think what you are referring to is:
3.4.1If disk encryption is used (rather than file- or column-level
database encryption), logical access must be managed
independently of native operating system access control
mechanisms (for example, by not using local system or Active
Directory accounts).
Decryption keys must not be tied to user accounts.

The wording suggests this applies to databases. Not file servers.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

Message
From: dave kleiman [mailto:dave (AT) davekleiman (DOT) com]
Sent: Saturday, February 03, 2007 12:06 AM
To: security-basics (AT) securityfocus (DOT) com
Subject: RE: PCI, EFS and the future?

Nick,

Correct me if I am wrongbut I thought I remember reading that the
DSS
specifically stated that keys could not be tied to user accounts, which
they
are in EFS. , was that only for certain pieces of data?

Respectfully,

Dave Kleiman -

Message
From: listbounce (AT) securityfocus (DOT) com
[mailto:listbounce (AT) securityfocus (DOT) com] Behalf Nick Vaernhoej
Sent: Friday, February 02, 2007 12:04
To: security-basics (AT) securityfocus (DOT) com
Subject: PCI, EFS and the future?

Good morning list

In the past I have asked about encryption solutions to
attain PCI compliance.

There are numerous solutions our there and I have some
questions about EFS in particular.

We are trying to create a small area on our corporate
fileserver to be an encrypted location. When used with EFS
this area should be transparent to the end user since it
ties into AD.

My gut feeling is telling me that EFS is the wrong
solution and I fear that it won't be in compliance with
PCI's data at rest specs.

Does anyone have any experience with EFS file level
encryption, PCI and what the future outlook is?

Are you looking at a replacement product because the
auditor didn't find EFS adequate?

Thank you

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

Sagib

Because people and articles are full of reasons why EFS might not be a
good idea. But there is very little that says black on white, Yes or no.

In my own research I experience a 25% overhead when used on a fresh
install of Windows Server 2003 and Windows XP

From the following article

" There is no current consensus but companies wishing to leverage such a
system will face an up-hill battle to defend the proper key management
processes in place."

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

<>
May I ask why you feel that EFS is the wrong solution? the face, it
seems to satisfy all the PCI data storage encryption requirements

I will tell you more why EFS might not be a good idea, but I want to
hear your opinion first.

saqib

May I ask why you feel that EFS is the wrong solution? the face, it
seems to satisfy all the PCI data storage encryption requirements

Funny, Visa just hosted a PCI-DSS seminar at their offices in Foster
City and this very issue came up

Section 3.4.1 of PCI-DSS 1.1 specifically states that "Decryption keys
must not be tied to user accounts." The gentleman that was speaking, a
Mr. Chris Mark said they were specifically talking about EFS but could
not call it out by name.

>3.4.1 If disk encryption is used (rather than file- or column-level
>Database encryption), logical access must be managed
>independently of native operating system access control
>mechanisms (for example, by not using local system or Active
>Directory accounts).
>
>Decryption keys must not be tied to user accounts.
>The wording suggests this applies to databases. Not file servers.

How does it suggest that? This is about encrypting data, not the containers
data might be found in.

Dan