In jobeard's post
https://www.techspot.com/vb/topic71107.html is repeated false information that in some situations only recovery agent can recover access to encrypted data. If one made copy of his user’s certificate with private key and keep it in safe place without additional password protection (I mean additional password to forget), he can always use it to decrypt data and do not need recovery agent. I do not say that recovery agent isn’t useful but one do not have to configure it if doesn’t want.
I see that there are a lot of articles, even on Microsoft Web sites, describing recovery agent as the only solution to recovery encrypted data but it is not true.
If we write about small networks and small community I'd like to notice that small Windows' LANs can be divided into two types:
- networks with centralised users management based on Active Directory and Microsoft Domain (e.g. Small Business Server as a Domain Controller),
- networks based on workgroups technology or just based only on IP communication.
First type need administrator. Administrator manages such network and decides about its components. Basic and default network configuration cancel out using in such LANs any of NTLM for hosts since Windows 2000 and older than NTLMv2 for older Windows hosts beyond Win 3.11.
For Linux and Mac hosts recommended Samba configuration also cancels out using NTLM as Kerberos is much better technology.
This type of network need administrator and admin would have to make some effort to make such network less secure than standard configuration by using NTLM.
So EFS users are secure in such network if admin is in right mind.
Small networks do not need tools to manage workstations because administrator has personally contact to each user.
Second type it is Workgroup network or network based only on IP communication. In such networks users do not use centralised credentials. Every access to local resource requires use of local user account on this host which serve given share. So there caching passwords do not exists at all. Every user need to know many local user/passwords combination to access to different resources shared by different hosts.
There are two attiudes to security one can meet in small networks.
First says that network is endangered only from outside and inside everything is common. Security aspects are limited to isolating from outside. People often know each other passwords. In such networks NTLM can be used and EFS is used to secure data in case of loosing notebook or disk.
Second is traditional and says that everyone secures his own data. NTLM can't be used.
I think that even in 2005 danger of using EFS was very limited, limited to networks which were dangerous in many other aspects.
EFS is not secure in centralised networks which need administration but are not correctly managed. But, as I wrote, such networks are dangerous in many other aspects too. Not updated systems are easy targets for viruses and exploits so such network should be treated as dangerous as internet. Every user should isolate his computer from such network as much as he can, using the same tools like against internet intruders. I mean firewall, antivirus, not sharing files and folders and using sftp and even ftp instead of sharing folders, installing system security updates, even using local user account for local computer and domain account only for resources on servers, not adding computer to domain.
We have to remember that security of our data is so strong as the weakest part of our defence.
If one uses strong cryptographic tools and do not care about e.g. system security updates his effort has no sense because one day some exploit will install him backdoor and script kiddie will get all info about his keyboard activity and then his passwords and in the end all his secret data will get to kiddie's hands.
The same is true in situation that one uses TrueCrypt to encrypt data but authenticates on servers via NTLM or using clear text. Attacker do not need deep knowledge to catch his password and take control over his computer to monitor keyboard and in next step get TrueCrypt password and access encrypted data.
I apologise Tedster for this long discussion not exactly answering his question.
It would be interesting to answer the question how to force XP Home to support EFS.