Windows update and EFS
From: Xavier Serret (Xavier.SERRET@GEMPLUS.COM)Date: 11/21/01
- Previous message: Eivaz, Ray: "Re: IUSR_<machine_name> Default Group Membership"
- Next in thread: Särs, Camillo: "Re: Windows update and EFS"
- Reply: Särs, Camillo: "Re: Windows update and EFS"
- Reply: John Howie: "Re: Windows update and EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <032e01c17290$64f32d00$c86511ac@otp> Date: Wed, 21 Nov 2001 10:24:19 +0100 From: Xavier Serret <Xavier.SERRET@GEMPLUS.COM> Subject: Windows update and EFS To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Hi all,
I have been using EFS successfully for quite a while now. It works great
and its transparency to applications is remarkable. Unfortunately, EFS
does not support the System as an encryption agent, which leads to the
requirement that all data within the %SYSTEMROOT% cannot be protected.
This is a "minor" issue as far as all data in within %SYSTEMROOT% is
"public" ... ,that is, it contains only OS related data. However, the
Administrator account data cannot considered public as it contains
private information such as browser log files, cookies and others. This
is why I decided to encrypt the Administrator account as well.
The problem, which has been already reported by Microsoft, is that if
you use windows update all temporally installation files are created
within the administrator profile directory and then moved to the system
directory as a last step. Result: a nice set of encrypted files in the
system directory. When these files include vital functions such as
device drivers the outcome is a non-bootable installation. Of course,
the end-user is only notified when a blue screen pops out with an error
"0xC0000022" (access denied).
Even if there is a Knowledge base file (Article ID: Q307012, I was
actually installing direct X 8.1) explaining this behavior in a quite
summarized way, I found it a bug that has to be repaired at least for
all "windows update" scripts.
Xavier.
-- Xavier Serret. Security Architect. Information Security Group @ Gemplus============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a ntivirus.com/smex2000_rebate
- Previous message: Eivaz, Ray: "Re: IUSR_<machine_name> Default Group Membership"
- Next in thread: Särs, Camillo: "Re: Windows update and EFS"
- Reply: Särs, Camillo: "Re: Windows update and EFS"
- Reply: John Howie: "Re: Windows update and EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
