Password encryption

[John Bailey]

Venkatasamy,Venkat wrote:
> The helpdesk support team will have local admin access in all the
> computers. The members will be able to access the profile folders for
> all users. In this case, I belive this is a not a secure solution.

Local administrator access in itself, even to the server on which profile
directories are stored, is not enough to decrypt the file if you are using an
Active Directory domain and your users are logging in via domain accounts.  In
this scenario, only the user and the encryption administrator (which defaults to
the domain's first Administrator account) at the time of the file's original
encryption would be able to decrypt the file.

Local administrator access via an administrative account other than the default
built-in administrator account would also be insufficient where the users are
logging into standalone machines with local user accounts, as the encryption
administrator on a standalone machine defaults to the built-in local
administrator account.

While it's not perfect, NTFS encryption does give a reasonable form of
protection when used intelligently.  There are a number of explanations of this
around on the web, as well as a number of Microsoft publications (including the
MCP, MCSA, and MCSE training kits for the Windows 2000 Server/Advanced Server
and Windows Server 2003 products), that cover this topic quite well.

Of course, there is no such thing as unbreakable encryption.  Anyone who wants
your data will get it with sufficient time, computing power, and determination.

John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/pipermail/support/attachments/20080317/9d39da6c/attachment.sig>