Re: Windows update and EFS
From: John Howie (JHowie@SECURITYTOOLKIT.COM)Date: 11/21/01
- Previous message: Itai Dor-On: "Your Password Must Be at Least 18770 Characters (KB Article)"
- In reply to: Xavier Serret: "Windows update and EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <DLEMIECNEHJNMNPDCFBJIEBCCLAA.JHowie@SecurityToolkit.com> Date: Wed, 21 Nov 2001 09:53:45 -0800 From: John Howie <JHowie@SECURITYTOOLKIT.COM> Subject: Re: Windows update and EFS To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Dear All,
This is not a bug or shortcoming in the EFS. The Windows 2000 Server
Resource Kit, and the numerous KB Articles, cover these issues in depth.
The EFS works by storing the EFS certificate and associated private key for
a user in that user's profile. As SYSTEM does not have a profile, it cannot
use EFS. Furthermore, the EFS in Windows 2000 allows only the owner and
designated Recovery Agents to decrypt a file. Common files, such as those in
%SystemRoot% are accessed be many users and encrypting them would prevent
all but the owner and the Recovery Agents from accessing them. As there are
no profiles (or user contexts, for that matter) available during startup
encrypted files would be unreadable and the system would not boot. Hence,
all files that have the System attribute set cannot be encrypted.
If you must encrypt the Administrator's profile you can ensure that HotFixes
can be installed by setting the System attribute on the temporary folders in
the profile. Any file written to a folder with this bit set will not be
encrypted. The reason that encrypted files end up in the System32 and
sub-folders, even though they have the System attribute bit set, is that
they are moved from the temporary folder, and not copied, so they preserve
their encryption and compression attributes.
Microsoft's KB has an article on Best Practices when using the EFS. They
recommend setting encryption on the My Documents folder ONLY in a profile.
Sensitive information in the profile (such as the Registry Hive,
certificates, and private keys) are protected by other mechanisms and a
profile should have permissions set so that only the owner, Administrators,
and SYSTEM can access it - preventing prying eyes from accessing it anyway.
I will agree that Microsoft can mitigate the problem of users not
understanding the EFS by copying files to the %SystemRoot% - this would also
overcome problems caused by users who choose to compress folders in their
profile.
john...
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Xavier Serret
Sent: Wednesday, November 21, 2001 1:24 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Windows update and EFS
Hi all,
I have been using EFS successfully for quite a while now. It works great
and its transparency to applications is remarkable. Unfortunately, EFS
does not support the System as an encryption agent, which leads to the
requirement that all data within the %SYSTEMROOT% cannot be protected.
This is a "minor" issue as far as all data in within %SYSTEMROOT% is
"public" ... ,that is, it contains only OS related data. However, the
Administrator account data cannot considered public as it contains
private information such as browser log files, cookies and others. This
is why I decided to encrypt the Administrator account as well.
The problem, which has been already reported by Microsoft, is that if
you use windows update all temporally installation files are created
within the administrator profile directory and then moved to the system
directory as a last step. Result: a nice set of encrypted files in the
system directory. When these files include vital functions such as
device drivers the outcome is a non-bootable installation. Of course,
the end-user is only notified when a blue screen pops out with an error
"0xC0000022" (access denied).
Even if there is a Knowledge base file (Article ID: Q307012, I was
actually installing direct X 8.1) explaining this behavior in a quite
summarized way, I found it a bug that has to be repaired at least for
all "windows update" scripts.
Xavier.
-- Xavier Serret. Security Architect. Information Security Group @ Gemplus============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a ntivirus.com/smex2000_rebate
- Previous message: Itai Dor-On: "Your Password Must Be at Least 18770 Characters (KB Article)"
- In reply to: Xavier Serret: "Windows update and EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
