Re: Attacking EFS through cached domain logon credentials

From: Todd Sabin (tsabin@razor.bindview.com)
Date: 01/24/03

  • Next message: defaillance@hushmail.com: "Win2k log management" 
    To: "John Howie" <JHowie@securitytoolkit.com>
From: Todd Sabin <tsabin@razor.bindview.com>
Date: 24 Jan 2003 15:56:32 -0500

    "John Howie" <JHowie@securitytoolkit.com> writes:

    > Todd (and lists),
    >
    > You wrote:
    >
    > >
    > > This is not completely correct, and I wanted to clarify how an attack
    > > against a domain-member's EFS encrypted files can work. The threat
    > > model is this:
    > >
    >
    > It is important to distinguish between a weakness in EFS (there is none,
    > as described here) and the risk associated with using cached logon
    > credentials.

    I agree there's no bug here, if that's what you mean. Whether this is
    a 'weakness', risk, vulnerability, or whatever is mainly semantics.
    Let's just say it's a property of EFS that its encryption is no
    stronger than the user's password in the scenario I outlined.

    The underlying point is that many organizations probably have password
    policies (complexity requirements and maximum password age) designed
    in part to mitigate the risk of the passwords being cracked before
    they expire (and become useless). Often, maximum age is in the
    ballpark of 45 days.

    The problem is that if someone has obtained a stolen laptop as I
    described, the user's password doesn't become useless when it expires
    unless the information in the files encrypted with EFS also becomes
    useless.

    If you want to encrypt information that has long term value, you
    probably need to either seriously reevaluate your password complexity
    requirements, put smart cards or some other hardware into the mix (as
    you mentioned), or use something other than EFS. 

    -- 
Todd Sabin                                          <tsabin@optonline.net>
BindView RAZOR Team                            <tsabin@razor.bindview.com>

    Relevant Pages

    • Re: Attacking EFS through cached domain logon credentials
      ... >> against a domain-member's EFS encrypted files can work. ... a 'weakness', risk, vulnerability, or whatever is mainly semantics. ... Let's just say it's a property of EFS that its encryption is no ... they expire (and become useless). ...
      (Bugtraq)
    • RE: Protecting sensitive files on a Windows file server
      ... especially secure (using the file encryption is better though). ... Protecting sensitive files on a Windows file server ... recovery (which can also break EFS) and online password/data recovery ...
      (Security-Basics)
    • Re: EFS Private Keys
      ... It's possible to have a cluster that was in use that couldn't be wiped. ... > syskey was to EFS in W2K, ... >>> the private keys are protected however the key to the private key is ... >>> stronger encryption available for EFSfiles permanently if you don't. ...
      (microsoft.public.win2000.security)
    • Re: Corrupted Admin Profile
      ... > My view on EFS: ... > Do not to use encryption unless you are in a domain and you know ... as well not having created a Recovery Agent (with backup of the ... > Q241201 How to Back Up Your Encrypting File System Private Key ...
      (microsoft.public.windowsxp.security_admin)
    • RE: Laptop Security - Microsoft EFS
      ... In the case of a laptop where the biggest concern is theft, ... As for EFS key theft, that wasn't the point I was trying to emphasize -- the ... crack the encryption, stick a sniffer in there AFTER it's decrypted. ... an additional point of attack -- one that may not make evident the ultimate ...
      (Security-Basics)