NTFS encryption security on portable drives

[superticker]

If you use NTFS on the portable drive, you can use Windows' built-in EFS encryption.... Doesn't work on "Home" editions of XP, though.

-f0dder (April 21, 2006, 08:23 AM)

This comment brings up a question I have about NTFS file security.  If I move an NTFS disk between two Windows Pro machines belonging to the same domain (and using the same enterprise license key for Windows Pro), the encrypted files should be okay (if they're authenticated with the same domain controllers), right?

What if I move an NTFS disk to another Windows Pro system that's part of a different authority (different domain or difference license key)?  Won't--or shouldn't--those encrypted files be unreadable?  Or am I missing something here?

Will you even be able to mount an NTFS volume that comes from a foreign domain (or license key)?  My understanding is that foreign NTFS volumes present mounting problems, especially when they don't have Everyone read/write access.  Does someone know a reference that discusses this more?

Some backup software (like Paragon) lets you change the volume SID on an NTFS disk, but I always thought you had to decrypt all files before doing so or bad things would happen.

[f0dder]

After thinking this through a bit...

Windows stores the EFS encryption key, encrypted, in the registry... for domain logons, I assume it's stored on the domain controller. For non-domain machines, you'll probably need to make sure that all machines have the right credentials, and perhaps SIDs as well. Bummer

[superticker]

Windows stores the EFS encryption key, encrypted, in the registry... for domain logons, I assume it's stored on the domain controller. For non-domain machines, you'll probably need to make sure that all machines have the right credentials, and perhaps SIDs as well.

-f0dder (December 03, 2006, 11:14 AM)

The problem with NTFS files is they have the concept of "ownership" attached to them.  If that ownership is attached by a central authority (domain controller), then switching disks among domain members shouldn't be a problem.  But when you mount a "foreign volume" from outside the central authority, then who owns these files?  ...the Default User?

Should you even be able to mount a foreign volume?  If so, then who takes ownership of the Default User's files?  In this weird case, I "think" the Default User would be the local administrator since the creator of the original domain account to which these lost files once belonged to would not be available on a foreign, non-member host.  The other possibility is that there is no defined Default User; therefore, you can't mount the foreign volume.

I have strongly discouraged users from formatting their USB flash drives with NTFS directories if they are taking them outside their Windows domain for fear it might create ownership problems down the road.  Even if those flash drive files are owned by the Everyone group, it's still the Everyone group for that specific domain, not the entire Windows world.

If there is a safe approach for defining NTFS ownership on portable (foreign) disk volumes, could someone step forward and explain this?  For security reasons, I don't like users using FAT volumes, but for portable disks, I'm not sure how to get NTFS ownership to work.

[f0dder]

Iirc the SIDs for "default" accounts like administrator will be different on each windows install, and they certainly will be for non-default accounts, even if they're created using the same name.

I had totally forgotten about this when writing the original post you quoted - duh.

So if you plan on using security features (whether that be NTFS encryption, or just regular permission stuff), be careful. It can cause problems if you're using the disk(s) in other machines.

I have strongly discouraged users from formatting their USB flash drives with NTFS directories if they are taking them outside their Windows domain for fear it might create ownership problems down the road.

-superticker

Not a good suggestion though - if somebody formats his drive as FAT, he'll be in a nasty situation once he's filled up some 100GB and need a file that's >4GB large (but okay, at least there's transparent conversion to NTFS with "convert.exe").

[superticker]

I have strongly discouraged users from formatting their USB flash drives with NTFS directories if they are taking them outside their Windows domain for fear it might create ownership problems down the road.

-superticker

Not a good suggestion though - if somebody formats his drive as FAT, he'll be in a nasty situation once he's filled up some 100GB and need a file that's >4GB large (but okay, at least there's transparent conversion to NTFS with "convert.exe").

-f0dder (December 03, 2006, 02:17 PM)

Actually, all USB flash disks (and ZIP disks) are shipped formatted as FAT.  SanDisk uses FAT16, and that would limit the flash volume to 4 GBytes.  I guess I don't know why SanDisk doesn't use FAT32.  Does anyone know?

The problem is that users want to convert their new USB flash drive from FAT to NTFS, and that's what I'm discouraging until I figure out how foreign NTFS file ownership would be handled between office (central domain controller) and home (foreign host).

[f0dder]

Makes sense to format things like MMC and SD as FAT16 I guess, since some older cameras/whatever might not support FAT32?

Shipping external USB drives as FAT32 makes sense for a lot of users I guess, but it bites you when you work with large datasets - especially because the error messages you get aren't very intuitive