Redmond (WA) – The news this morning was that Microsoft officially withdrew its support of “Private Folder,” one of its “Powertoy” accessories for Windows XP – which was released only last week – reacting to complaints about how its folder encryption capability could be used to thwart the designs of system administrators. Despite this news,the product remains available, although links to the product’s download page have been removed from its Windows Genuine Advantage Offers page.
A statement released by Microsoft to Cnet last Friday seemed to indicate that the company had listened to complaints that the tool was not manageable by administrators via group policy – meaning, admins could not set rules on Windows networks governing who could use Private Folder and who couldn’t, and to what extent. Private Folder is a system service, not an application, so admins cannot create rules banning it from running on a particular system after a user installs it there without permission.
Nevertheless, links to the download page placed in blogs and news reports remain active at the time of this writing, including the one we embedded in the first paragraph above.
Perhaps the most challenging part of the whole process of setting up Private Folder: creating a password.
Private Folder (MPF) makes use of a dynamic link library that already exists in Windows, called CRYPT32.DLL, which provides a moderate level of bitwise encryption to files. As a service, it creates an unnamed folder whose file contents can only be retrieved after entering a password. During the setup process, Private Folder only allows password combinations of a prerequisite strength (mixing capitals and lowercase, including digits).
But as a TG Daily reader helped us discover last week, booting the Windows XP system in Safe Mode – where certain system services are disabled for diagnostic purposes – disabled the part of the Private Folder service that hides the directory from view. As a result, the directory structure itself becomes visible, although the directory contents remain encrypted using CRYPT32.DLL.
This would be far from the first file encryption utility made available for Windows. PGP Corporation offers the most recent commercial version of PGPdisk, now called PGP Whole Disk Encryption, which enables the creation of virtual volumes whose images are encrypted as single files, using the well-known PGP Encryption technique. Versions of PGPdisk have been distributed for decades, including an earlier edition which remains available for free download, though are no longer supported by manufacturers. Still, encrypted volumes using PGPdisk have the virtue of not being able to reveal the identities of what they contain.
The most vocal complaints, however, came from veteran admins who were unclear as to why Microsoft would offer something even as powerful as it was – despite its technical limitations – for an end-user to download and install without any regard to corporate policy. On one prominent independent blog, Richard Staley, a regular and well-renowned admin, commented:
What is Microsoft thinking? I agree…that this is an excellent idea for the home users, but can [you] imagine the chaos this could cause in the corporate environment? As a network administrator, I am already up to my eyeballs in security. Chasing down viruses and spyware is a never ending job. Now I may have to contend with a disgruntled user placing a time-bomb in a private folder that the Domain Admins cannot access.
Others, however, pointed out that there is a way to prevent users from implementing MPF using group policy: Since it uses a Microsoft Installer (.MSI) package during setup, a group policy object could enforce restrictions on users’ rights to install from .MSI packages. As one admin responded:
The file comes in a .msi file – it has to be installed. Don’t companies forbid people from installing software on their machines? If they don’t, they worry about people creating a password protected folder, when they can go ahead and install any software they want – including software which includes spyware/etc?
One of the more highly anticipated features of the upcoming Windows Vista is BitLocker, a utility which enables the 128-bit encryption of a physical drive, rendering its contents useless to thieves even if the drive were physically stolen. But during the last TechEd conference in Boston, many admins begged Microsoft to either let BitLocker use be controlled via group policy, or not to release the tool at all. So perhaps we do know what Microsoft was thinking – or at least thought it was thinking – though the deeper question of whether it was listening remains. Microsoft spokespersons would not comment further for today’s story.