RE: Protecting sensitive files on a Windows file server

Indeed, the most common failure of EFS I've seen involves using it
on a standalone machine, where an O/S reinstall has wiped out both
the original and the recovery keys. The recovery key needs to be
somewhere off of the original machine -- such as held by your AD
infrastructure.

David Gillett


-----Original Message-----
From: Roger A. Grimes [mailto:roger@xxxxxxxxxxxxxx]
Sent: Wednesday, June 21, 2006 12:28 PM
To: Tyler, Grayling; paul.johnson8@xxxxxxxxx; security basics
Subject: RE: Protecting sensitive files on a Windows file server

Grayling,

I thoroughly disagree with you about the recovery key issue.
Recovery keys aren't a problem. You have to have backup keys
in case the original keys are lost. No one should implement
any encryption strategy without first deploying a reliable
key archival\recovery solution.

It takes an admin password or to be logged in as the normal
user to recover EFS-protected files. If I can do either of
those two things, I don't care what your encryption program
is, it's game over. I can just retrieve your keys, install a
keylogging trojan to capture your passphrase protecting your
keys, or just grab the files when the original user views them.

The problem isn't key recovery, it's other operational
issues. For instance, EFS only works on NTFS partitions.
That's a major problem for an enterprise-wide encryption
platform, which is trying to protect data on non-NTFS media
(e.g. USB keys, cd-roms, dvd's, etc.)

Roger

-----Original Message-----
From: Tyler, Grayling [mailto:ggtyler@xxxxxxxxxxxx]
Sent: Wednesday, June 21, 2006 2:49 PM
To: Roger A. Grimes; paul.johnson8@xxxxxxxxx; security basics
Subject: RE: Protecting sensitive files on a Windows file server

I agree that using the password protection from within
outlook isn't especially secure (using the file encryption is
better though). EFS aren't much better because of the
recovery keys. If all you're doing is keeping the honest
people honest then either would likely suffice.

If its honest-to-goodness sensitive material that you want to
protect from not so honest people then use the RSA with token or PGP.



All communication regarding everyday IT support needs such as
IT problems / incidents should be directed to the ITCRC team
at x2848 instead of contacting the various associates
directly within the IT department.
By logging all problems / incidents with the ITCRC team, this
will provide us more visibility into the various types of
calls we are receiving, trending of these calls, numbers of
calls, etc. The ITCRC team will bring more attention to your
issues and allow prompt resolution to your calls.

-----Original Message-----
From: Roger A. Grimes [mailto:roger@xxxxxxxxxxxxxx]
Sent: Tuesday, June 20, 2006 9:01 PM
To: paul.johnson8@xxxxxxxxx; security basics
Subject: RE: Protecting sensitive files on a Windows file server

-See replies below.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE:
Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************



-----Original Message-----
From: paul.johnson8@xxxxxxxxx [mailto:paul.johnson8@xxxxxxxxx]
Sent: Tuesday, June 20, 2006 7:54 PM
To: Roger A. Grimes; security basics
Subject: Re: Protecting sensitive files on a Windows file server

We discovered with Office 2003, using the default Office
97/2000 compatible encryption type to protect the files, it
is possible to recover the passwords/data using software such
as Elcomsoft Password recovery (which can also break EFS) and
online password/data recovery services no matter how long the
password or complexity in under 5 mins.

-It's worse than that. Office passwords can always be removed (set to
blank) because the password is stored in a known and editable
location.

-Elcomsoft does not "crack" EFS private keys. It breaks the
Administrator account password (or uses the logon Administrator
credentials) to programmatically gain access to the otherwise
protected EFS private key. If the intruder breaks your Admin
password or is able to get logged on as Administrator, it's
always game over...and cracking EFS keys is only one your problems.

How are others protecting this information in their place of work?

-Most aren't. Just read the papers. Of those that are, most
are using EFS (again most users aren't), PGP, RSA, or some
other commercial solutions. There are dozens of commercial
encryption solutions, and kudos to you for looking into this.


On 21/06/06, Roger A. Grimes <roger@xxxxxxxxxxxxxx> wrote:
There are many great commercial solutions, like PGP
Desktop, but EFS
is free and works well if you handle key archival seriously.

EFS works well, but it is not as eloquent as many of the other
solutions (don't forget TrueCrypt for a free solution). For
example,
EFS only encrypts data while its stored on the hard drive, but the
data is decrypted (using EFS alone) when copied across the
network or
down to other media. PGP Desktop, with NetShare, allows the
files and
keys to be managed easier and to remain encrypted where ever they
ended up (i.e.
USB key, CD-ROM, etc.); and with a single encryption key.

Office 2003 encryption isn't good encryption; easy to bypass.
Winzip leaves unencrypted recoverable temp files.

Just my one-half cent. I haven't tried the RSA solution.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE:
Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
*Author of
Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************



-----Original Message-----
From: paul.johnson8@xxxxxxxxx [mailto:paul.johnson8@xxxxxxxxx]
Sent: Monday, June 19, 2006 7:39 PM
To: security basics
Subject: Protecting sensitive files on a Windows file server

We are looking for a secure way to store very sensitive
files on our
Windows servers. The data is shared. We will turn on full
auditing,
create hidden shares and a security group.

Which type of protection would be most suitable:

Office 2003 encryption
Windows EFS
Winzip 9.x encrypted archives
RSA SecurID Windows Agent (2 factor authentication) PGP Desktop Pro

Our concern with the Windows/Office encryption types is
that it could
be cracked - ie. someone could get hold of the file and run
some kind
of password recovery on the file and access the data.

Any ideas on how to approach this would be much appreciated.

**************************************************************
**********
**
This electronic message may contain confidential or
privileged information and is intended for the individual or
entity named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of
the contents of this information is prohibited.
If you have received this electronic transmission in error,
please notify the sender immediately by using the e-mail
address or by telephone (704-633-8250).
**************************************************************
**********
**

--------------------------------------------------------------
-------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of
Academic Excellence in Information Security. Our program
offers unparalleled Infosec management education and the case
study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this
esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • RE: Protecting sensitive files on a Windows file server
    ... In EFS, it takes me 5 minutes to remove the recovery key from the ... Protecting sensitive files on a Windows file server ... You have to have backup keys in case the original ...
    (Security-Basics)
  • Re: decrypt files after lost pub/priv keys - possible?
    ... We've even had 3rd party reviews of our EFS code - ... Win2k used DES for its symmetric encryption. ... the symmetric keys would have been AES 256 - ...
    (microsoft.public.win2000.security)
  • Re: ciphered files
    ... > If you are not in a domin, and you did not export your encryption keys ... > My view on EFS: ... as well not having created a Recovery Agent (with backup of the ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Encryption on Laptops?
    ... > This type of encryption is strong enough so that it can not be defeated ... over 14,000 computer users trying out various keys finally deciphered the ... which allow the admin password to be easier changed...bypassing EFS ... user account passwords on the box in question, log in as the user, and voila, I have the ...
    (Security-Basics)
  • Re: decrypting files from XP - tough question
    ... EFS uses a hybrid asymmetric/symmetric encryption scheme. ... It is to those keys which EFS encrypted the ... That session key can only be retrieved by those same certificates. ...
    (microsoft.public.security)