From the description of how to create a password reset disk, you might think that requiring the user’s current password implies that administrators can't access a user’s encrypted files. Such is not the case, however. Remember that Encrypting File System (EFS) lets you define a data-recovery agent. The data-recovery agent can decrypt any file on the computer. On workgroup computers, local administrators have control of data-recovery policy. Whenever a user accesses an encrypted file, Windows updates the recovery information for that file with the new recovery policy. Thereafter, the new recovery agent can decrypt the file. Bottom line? With patience, an administrator can always gain access to files that another user encrypts. The administrator needs only to add a new data-recovery agent certificate for himself or herself, then wait for the user to access encrypted files. Of course, an indefinite period of time might pass before the user accesses all of his or her encrypted files. Also, the user should grow suspicious upon discovering a changed password.
An unknown attacker who can access the computer twice can also use this method. First, the attacker uses a tool such as Ntpasswd to reset the administrator’s password, then adds a new recovery-agent certificate to the EFS data-recovery policy. Second, after waiting for the user to access encrypted files, the attacker returns and uses his or her recovery certificate to access the files.
Despite this vulnerability, Windows XP’s incarnation of EFS is still much stronger on workgroup computers than Windows 2000’s is. Breaking EFS is much more difficult, but physical security remains important. If you’re in doubt about whether a computer has been compromised, or if you notice that an administrator account password has been inexplicably reset, check the recovery policy. If you find that it's been changed, you should change the recovery policy again, then update the policy on all encrypted files.
