RE: Thanks and a follow-up question on private keys
From: Fred.Langston@guardent.comDate: 09/10/02
- Previous message: Phil Pinder: "Thanks and a follow-up question on private keys"
- Maybe in reply to: Phil Pinder: "Thanks and a follow-up question on private keys"
- Next in thread: Steven Wenham: "RE: Thanks and a follow-up question on private keys"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Fred.Langston@guardent.com To: fp56@dial.pipex.com, focus-ms@securityfocus.com, bkml@att.net Date: Tue, 10 Sep 2002 14:36:31 -0400
Hi Phil,
These keys are not accessible even by an admin, hence my recent
clarification of Bruce's response. That is the benefit of protected
storage. Of course, these keys can be deleted if the profile is deleted by
an admin or the user, but they are not accessible.
This also underscores my comment on correct enterprise deployment via GPO.
Proper creation of Recovery Agents for a domain will enable proper recovery
of the files, as will exporting the users key to, say, a floppy, and storing
that floppy in an ultra-secure location. Phil, you really need to look at
ALL the deployment issues throughout your enterprise, create a proper
domain-wide architecture using best practices if you are to securely use
EFS.
My personal opinion is to avoid roaming profiles at all costs, especially if
you have users connecting over slow links (RAS, VPN, slow WAN). EFS just
adds another layer of complexity and the possibility of insecure
configuration greatly increases.
Fred Langston, CISSP
Principal Consultant
W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
Seattle, WA www.guardent.com
________________________________________
G U A R D E N T
Enterprise Security and Privacy Programs
-----Original Message-----
From: Phil Pinder [mailto:fp56@dial.pipex.com]
Sent: Tuesday, September 10, 2002 11:22 AM
To: focus-ms@securityfocus.com; Fred Langston; bkml@att.net
Subject: Thanks and a follow-up question on private keys
Hi all
Thanks for the information on private keys. That's answered my burning
question. However, your replies generated another two....
It seems from some replies that protected storage is located in a mixture of
undocumented locations on the hard-drive/registry, and hence obfuscated. But
another reply seems to locate the private keys in files in :-
C:\Docs and settings\User\Application data\Microsoft\Crypto\RSA\user's SID\
and the master key used to encrypt the PK (itself encrypted with SYSKEY and
the user's password hash) is located in :-
..user\application data\microsoft\protect\user's sid\
Are these locations what is referred to as 'a mixture of locations on the
hard-drive/registry'??
If so and although Admin-only accessible, wouldn't this mean that these are
easily deleted by Admins (by mistake or by an intruder with this privilege)
and secondly where is syskey located since this seems fundamental in the
protection.
Are email keys also held in the roaming profile (same as EFS keys)??
Many thanks
Phil
- Previous message: Phil Pinder: "Thanks and a follow-up question on private keys"
- Maybe in reply to: Phil Pinder: "Thanks and a follow-up question on private keys"
- Next in thread: Steven Wenham: "RE: Thanks and a follow-up question on private keys"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
