RE: Cached Domain Password on Notebook, secure?

From: Skinner, Kit (KSkinner@sandstream.com)
Date: 02/20/02


From: "Skinner, Kit" <KSkinner@sandstream.com>
To: 'Alan Ramsbottom' <alancr@ntlworld.com>, "Skinner, Kit" <KSkinner@sandstream.com>, "'Laura A. Robinson'" <larobins@bellatlantic.net>, "Varga Daniel (QI/RZS4) *" <Daniel.Varga@de.bosch.com>, focus-ms@securityfocus.com
Date: Wed, 20 Feb 2002 17:25:39 -0000


From: Alan Ramsbottom [mailto:alancr@ntlworld.com]

> > > No, the security of EFS stands or fails with the location of
> > > the user and recovery agent keys. Get them off the hard drive.

> > That makes very logical sense and is very important to do.

> Perhaps I've misunderstood the scenario, but AFAIK Win2K & WinXP EFS
> implementations use the MS Base CSP and the user's keys must be there for
> EFS to work.

Okay, its been a while since I've gone back to Windows use of EFS (feel free
to correct me), so bear with me. It is possible to remove the recovery key
using the following:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q241201#2

However, users' private keys are stored in their profile where they are
encrypted using an RC4 master key. The master key is then encrypted using
HMAC and SHA1 by using the master key, the user's SID, and the user's
password. A second copy of the master key (backup master key) is encrypted
using HMAC & SHA1 by using the master key, and the domain controller's
backup key. The domain controller's backup key is stored as a Global LSA in
HKLM\SAM on the local system.

Not quite sure what the Global LSA protection uses. If you could decrypt
that key, that would be the grail for this decryption effort. Beyond that,
the password is going to be easier to brute force than cracking any other
algorithms.

There's a good chapter in the Windows 2000 Resource Kit about this and is
available via TechNet at:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distsys/
part2/dsgch15.asp