RE: Relative Security Provided by Cached Domain Credentials?

From: Sergey V. Gordeychik (gordey_at_infosec.ru)
Date: 05/12/04

  • Next message: Adil Absar: "Password Management with Services" 
    Date: Wed, 12 May 2004 11:13:47 +0400
To: "Zack Schiel" <ZSchiel@blueandco.com>, <focus-ms@securityfocus.com>

    >Local accounts are easily modified or reset,
    >but I'm not aware of any
    >similar exploits for cached domain credentials.š
    >Given that EFS'
    >effectiveness to secure laptop-stored
    >data in a domain environment lives
    >and dies by the security of the cached credentials, I'm curious to know >just *how much* more secure they are.

    Little off topic, but.

    Changing of local user password in case of XP or W2K3 does not give any opportunity to get access to EFS encrypted files, because user private key encrypted with users password. And that goes for domain accounts, too.

    In case of W2K situation much worse. Private Key encrypted with user RID.
    But you can protect EFS private key by export it on removalable media in pkcs#12 format and import before use. You don't need store private key on hard disk, because it cashed in memory after first use.

    So, we can export user EFS certificate with private key to the password-protected pcks#12 file (open Certificates mmc console, find EFS certificate with Intended Purposes = Encrypting File System, Right Click, All Tasks > Export) and delete it.
    After, store pcks#12 on removalable media, and before use EFS start following batch file:

    rundll32.exe cryptext.dll,CryptExtAddPFX %username%.pfx
    REM Start certificate import wizard
    cipher /E /A C:\EFS\encrypt.txt
    REM Encrypt 0-length test file for certificate caching
    cipher /D /A C:\EFS\encrypt.txt
    REM Decrypt 0-length test file for certificate caching
    certmgr -del -c -all -s my
    REM Delete users certificates

    After we can use EFS, but certificate doesn't stored on local computer hard disk, only in memory.

    Instead of removalable media we can use any Smartcards or USB-tokens, which can import and export pcks#12 files.

    Russian public can find more information here:
    http://www.osp.ru/win2000/2003/02/038.htm

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Adil Absar: "Password Management with Services"

    Relevant Pages

    • Re: Certificates, Keys, Mobile Users, Intended Usage
      ... Option that you think about uses self signed EFS certificates. ... Better then exporting user's private key as backup is to setup DRA (Data ... there is no EFS certificate and it will generate a new one. ... Mobile computer users benefit from encrypting sensitive ...
      (microsoft.public.win2000.security)
    • Re: XP Encryption Fudge-up. Trying to help my father-in-law
      ... He needs the original certificate and private key ... He should have exported his EFS certificate and ...
      (microsoft.public.security)
    • Re: EFS encrypt files: Changed PW now cant access... :-(
      ... Assuming the EFS certificate AND private key are in the user's profile you ... need to change the user account password back to what it was before they ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Self-Signed EFS and AD
      ... EFS needs your private key available locally to work. ... Certs are public infomation and hence published to AD. Private keys ... > Certificate instead of creating a new one every time I change a PC? ...
      (microsoft.public.windowsxp.security_admin)
    • Re: efs and "encryption" overall... help?
      ... What I referred to was that the only way to make totally sure that the EFS ... encrypted files are safe is to export/delete the certificate and private key ... require the user to enter the password used to protect the private key. ... >> uses much stronger encryption to encrypt EFS files, ...
      (microsoft.public.windows.server.networking)