RealTime IT News

Microsoft Gets EFS Security Thumbs-up

Security researchers at Network Associates Laboratories have given the thumbs-up to Microsoft's Encrypting File System (EFS), a transparent file encryption service built into the Windows XP Professional and .NET Server 2003 platforms.

The Redmond-based Microsoft , which has battled public scorn for lax software security, found favor with researchers from Network Associates Labs, which claimed the EFS encryption service to be secure.

"The findings of the Labs research and analysis indicate that the EFS service makes a reasonable effort at providing file confidentiality and that the components are well designed and implemented," Network Associates said in its detailed report.

The company, which was retained by Microsoft to evaluate the security and architecture of the EFS technology, said EFS "makes a reasonable effort at providing file confidentiality (and) makes good attempts to clean up resources when finished with them and to recover from system failures while performing operations."

Noting that file integrity or authentication protection are not services EFS provides, the Lab tests found the design of EFS made some conscious tradeoffs between absolute security and convenience.

"These tradeoff decisions result in some edge-case scenarios," it said, adding the edge-case scenarios weren't bugs but were results of the design decisions and were known from the start.

The EFS, which is a key feature in Microsoft's Windows .NET, provides file confidentiality. It also provides for multiple users to share access to an encrypted file using their own access credentials.

The latest approval from a security researcher for a Microsoft product comes amidst public moves by the software giant to clean up its act regarding security. The company has promised to limit the issuing of "critical" security warnings and change the way vulnerability warnings are issued, particularly for non-technical end-users.

Separately, security consultants Netcraft believes a "critical" bulletin about a security flaw in Microsoft Data Access Components (MDAC) might not be so critical after all.

Netcraft, which tracks activity on Apache and IIS Web servers, said its own tests show the MDAC vulnerability affects a small percentage of ISS servers.

"Approximately 8 percent of Microsoft-IIS sites tested in 2001 had RDS open to the public; in 2002 this has fallen to around 5 percent...Almost no Microsoft-IIS/5.0 sites we have tested were offering RDS and the proportion of Microsoft-IIS/4.0 sites offering RDS is fairly stable at around one in four," Netcraft said.

Netcraft noted that a small section of the Microsoft-IIS community is likely to use RDS, and that it is rarely enabled on public sites, meaning the security flaw may not affect as many servers as originally believed.