[Full-disclosure] Microsoft EFS

From: Dyke, Tim (Tim.Dyke_at_worksafebc.com)
Date: 10/11/05

  • Next message: iDEFENSE Labs: "[Full-disclosure] iDEFENSE Security Advisory 10.11.05: Microsoft Distributed Transaction Controller Packet Relay DoS Vulnerability" 
    Date: Tue, 11 Oct 2005 10:03:18 -0700
To: <full-disclosure@lists.grok.org.uk>

    > The DEFAULT recovery agent is the Administrator, on the other hand you
    always
    > can to decrypt the data from the userX login like that userX; So crack
    the
    > password or overwrite it off-line (the same for the delegated recovery

    > agent).

    Tom wrote"
    be careful:

    overwriting the pw offline will work with efs on w2k.
    it will not work with winxp/2003: you cant access any efs-data after
    resetting the password offline.

    you'll have to crack the usesrs or the admins pw and either logon
    interactively or export their keys to get access to the efs-encrypted
    data.

    Tom"

    Do you know how his will work for a machine that is part of a Domain?
    Where there are no Local Users and the Default Recovery Agent is the
    "Domain Admin"

    I know tht one can always hack the local admin PW, then unjoin the
    domain, but where does that leave the machine.
    Is there any way to hack the "nounce" PW?

    Thanks

    Tim

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: iDEFENSE Labs: "[Full-disclosure] iDEFENSE Security Advisory 10.11.05: Microsoft Distributed Transaction Controller Packet Relay DoS Vulnerability"

    Relevant Pages

    • Re: [Full-disclosure] Microsoft EFS
      ... > The DEFAULT recovery agent is the Administrator, on the other hand you always ... > can to decrypt the data from the userX login like that userX; ... it will not work with winxp/2003: you cant access any efs-data after ... resetting the password offline. ...
      (Full-Disclosure)
    • Re: Encrypted File System
      ... admin,but still he would be the default recovery agent within the ... all the regular tasks/backups and use the domain admin just for ... the new account with minimal admin rights could just perform regular ... perform maintainance tasks. ...
      (microsoft.public.windows.server.sbs)
    • EFS and DRA. Admin unable to decrypt
      ... Recovery Agent i was importing the *.CER rather then the ... >1 admin who is also DRA and 3 users. ...
      (microsoft.public.windowsxp.security_admin)
    • cant recover encrypted files on efs
      ... I log in as Admin and import foo's .cer to the Trusted ... Recovery Agent" wizard from the Local Security Policy app ... public directory and make sure that foo has NTFS ... recovery agent correctly before having "admin" encrypt the ...
      (microsoft.public.windowsxp.security_admin)
    • Re: cant recover encrypted files on efs
      ... A recovery agent cannot decrypt an EFS file until ... into foo's certificates. ... I log in as Admin and import foo's .cer to the Trusted ... I log in as "foo" and try to decrypt the file that was ...
      (microsoft.public.windowsxp.security_admin)