RE: Attacking EFS through cached domain logon credentials

From: John Howie (JHowie@securitytoolkit.com)
Date: 01/21/03

  • Next message: Ed Sunder: "Stopping Admin Alert SPAM" 
    Date: Mon, 20 Jan 2003 22:32:12 -0800
From: "John Howie" <JHowie@securitytoolkit.com>
To: "Todd Sabin" <tsabin@razor.bindview.com>, <bugtraq@securityfocus.com>, <focus-ms@securityfocus.com>

    Todd (and lists),

    You wrote:

    >
    > This is not completely correct, and I wanted to clarify how an attack
    > against a domain-member's EFS encrypted files can work. The threat
    > model is this:
    >

    It is important to distinguish between a weakness in EFS (there is none,
    as described here) and the risk associated with using cached logon
    credentials.

    It is not just EFS which is at risk through 'cracking' an account like
    you describe, there are so many other 'secrets' in a user's profile
    including passwords to websites remembered by IE, POP3 email account
    passwords in Outlook and Outlook Express, VPN passwords, etc.

    Truly sensitive data should not be stored on a laptop, and when it must
    use two-factor authentication such as a Smart Card (which does reduce
    the risk associated with cached logon credentials) or a SecureID token.
    If nothing else, some laptops these days come with passwords to
    lock/unlock the hard drive.

    Regards,

    John Howie CISSP MCSE
    President, Security Toolkit LLC

    Relevant Pages

    • Re: EFS and laptops
      ... existing password of the Sammy account. ... While passwords can be well over 200 characters long, ... > EFS is seemingly weak from what I know and am experiencing. ... thereby making the DRA pub key on a laptop useless. ...
      (microsoft.public.security)
    • Re: Password protect memory stick
      ... >I have heard of users using EFS on memory drives as long as the drive is ... The user would also need to export his EFS ... >>> passwords on folders, files. ... >>> Vladimir ...
      (microsoft.public.security)
    • RE: Attacking EFS through cached domain logon credentials
      ... It is important to distinguish between a weakness in EFS (there is none, ... It is not just EFS which is at risk through 'cracking' an account like ... passwords in Outlook and Outlook Express, VPN passwords, etc. ... Truly sensitive data should not be stored on a laptop, ...
      (Bugtraq)
    • Question about EFS and domain password
      ... >that can extract/match passwords from cached domain logons. ... >laptop users. ... >the local EFS, I ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Password "File" exporting
      ... "multi-posting" I did the multi-post after I did not receive any ... As to the risk of the laptop being lost or stolen I am aware of the ... passwords file" from the home computer to import it on my laptop. ...
      (microsoft.public.windowsxp.basics)