Re: Win2k3 Web Edition - Usage of EFS

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 01/28/04 

Date: Tue, 27 Jan 2004 15:04:57 -0800

Like Torgeir says, that same tool (among other attacks) can make someone
with physical access an administrator. A parallel install will also allow
an attacker to bypass any NTFS ACLs. As would many other tools that can
raw-read the volume.

As long as only IUSR_name accesses the files in that folder, encrypting as
IUSR_name will work. And the data will be unreadable even to an attacker
with physical access.

If you use EFS, *please* back up those users' encryption certificates (and
private keys) and lock them in a safe or something. It may be a good idea
to use an EFS recovery agent, too. Data loss is the number one complaint
about EFS: customers reinstall the OS but don't back up key material first,
then they can't decrypt their old files.

And you're not being paranoid - you're just concerned about security.
That's probably why the bosses pay you. :-) 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"RoChess" <anonymous@discussions.microsoft.com> wrote in message
news:159012F2-C442-4C76-A119-49F7DB235096@microsoft.com...
> IIS runs as service indeed, I assume in localsystem context. I did alter
the default IIS permission scheme to add more protection. Each website has
it's own IUSR_name account that only gives them NTFS access to their own
folder with IIS having anonymous access set for that account on each
website.
>
> So you think, that if I login with each of those IUSR_name accounts and
EFS their own folders, that it would work?
>
> And you bring up another good point I've never got a good answer on. How
does physical access alone give somebody else the means to become
administrator? Back in the days on NT4 I've used a util to gain admin access
at a client who lost the password, but isn't that all secured now?
>
> The only method that I thought was still open, was if a person would
reinstall the OS or use another NTFS compatible OS to read the data disc.
For that method I thought EFS would be the solution.
>
> I guess I'm over paranoid, but the server will eventually store a lot of
sensitive information, such as credit cards, etc. so I've been setting this
server up as secure as I can. The server itself will be at a data-center
with 24/7 armed guards, so I don't have to worry too much about the physical
aspect side, but still I've always wanna know the correct answer.
>
> So maybe you know :)

Relevant Pages

  • Re: How secure are my files?
    ... the ONLY protection the OS can offer against an attacker with ... Without EFS, there are any number of utilities to ... Also note that once an intruder has had physical access to the machine, ... > the part about backing up encryption keys and Recovery Agents. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: boot -s - can i detect intruder
    ... I know that if someone have physical access to my servers can penetrade into ... > attacker is at all sophisticated, but if the attacker is really clueless, ... the user could select a shell of his own. ...
    (FreeBSD-Security)
  • Re: Do I have to set another password in the CMOS setting to enhance the security of OS?
    ... one of the "ten immutable laws" is that physical access beats ... Even using encryption is a kind of a gamble, ... useless to me as an attacker. ... Software Design Engineer, Internet Information Server ...
    (microsoft.public.security)
  • Re: preventing tampering with tripwire
    ... As I read that, I thought "Doh". ... Thats really pretty much the ideal ... And if an attacker has physical access to my machine, well, he can do ...
    (FreeBSD-Security)
  • Re: Protection from Hackers
    ... physical access to the system. ... You protect against this sort of attack by ... The bottom line is that once your attacker has physical access, ... > Administrator account, but this program showed ALL accounts and you ...
    (microsoft.public.win2000.security)