Re: EFS Private Keys

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 12/30/03

  • Next message: Steven Umbach: "Re: EFS Private Keys" 
    Date: Mon, 29 Dec 2003 19:34:31 -0800

    Steven - you pretty much covered everything, but I wanted to add a few
    comments:

    Resetting the password doesn't work if offline syskey is used. I believe we
    fixed that in Win2k SP1. (Yeah - hardly anyone uses syskey in password or
    floppy mode, but there is still a means of mitigation.) The one hole that
    remained was anything encrypted in machine context. It's trivial to "become
    the machine" with physical access, so anything encrypted in machine context
    is for all practical purposes still plaintext. This same exploit exists on
    XP and Windows 2003.

    Plaintext detritus can exist on the hard drive for files that were
    originally plaintext then converted to encrypted files. "cipher /w" does a
    good job of cleaning up the old plaintext, but be warned that it is only a
    "best effort" as is any other disk-scrubbing tool that runs from within the
    OS. Any clusters that are in use can't be scrubbed. Those clusters may
    contain some of the plaintext.

    Ultimately the encrypted files are as secure as a user's password. A strong
    password (or using a smartcard for logon) is important to ensure that EFS
    isn't easily cracked. 

    -- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:QDmHb.672951$Tr4.1688097@attbi_s03...
> The user and recovery agent private EFS keys are stored in the associated
user
> profile and available through the mmc certificate snapin. As other posts
described
> the private keys are protected however the key to the private key is the
user's
> password, so ultimately the private key is only as secure as the user's
password as
> long as it is still on the computer. Worse yet, in W2K a users password
can be reset
> by someone gaining administrator access or if the administrator's password
could be
> reset , and assuming it is the recovery agent on a non domain machine,
then access
> could be gained to the user/recovery agent account and hence access to the
EFS
> encrypted files. It is a very trivial process to reset the administrator's
password
> on a W2K machine with free software from the internet.
>
> XP Pro, improved security by not requiring or creating a recovery agent by
default
> and also by not allowing access to a user's EFS private key if the
password was
> "reset" as can be done in Computer Management/local users and groups by
accessing a
> user account and resetting it where the current password does not need to
be known to
> an administrator. That may not stop someone with physical access from
cracking a
> user's password with a program such as LC 4
http://www.atstake.com/products/lc/  and
> then gaining access to encrypted EFS files.
>
> To protect your EFS files when physical security can not be assured, a
user needs to
> export and delete their private EFS key and that of any recovery agent on
the local
> computer and secure them away from the computer. When that is done the EFS
files are
> secure for most intents and purposes by today's standards and XP pro even
has much
> stronger encryption available for EFSfiles permanently if you don't. See
> the links below for more info.  --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
> http://is-it-true.org/nt/nt2000/atips/atips24.shtml
> http://support.microsoft.com/default.aspx?scid=kb;en-us;315672
>
>
> "Robert" <bwooster1.nospam@yahoo.com> wrote in message
> news:OM7pCLDzDHA.1740@TK2MSFTNGP12.phx.gbl...
> > I understand that in W2K the FEK is protected by the user's private key.
> > All well and good, but where is the private key stored, and how is *it*
> > protected???  I assume it is stored on disk or in the registry
someplace.
> > Is there some super-secret OS key that is used to protect all private
keys?
> >
> > Can anyone explain it in such a way that you don't have to be a MCSE to
> > understand it?
> >
> > Thanks for any clarity.
> >
> > Bob
> >
> >
> >
> >
> >
> >
> >
>
>
  • Next message: Steven Umbach: "Re: EFS Private Keys"

    Relevant Pages

    • Re: Corrupted Admin Profile
      ... > My view on EFS: ... > Do not to use encryption unless you are in a domain and you know ... as well not having created a Recovery Agent (with backup of the ... > Q241201 How to Back Up Your Encrypting File System Private Key ...
      (microsoft.public.windowsxp.security_admin)
    • Re: EFS Private Keys
      ... It's possible to have a cluster that was in use that couldn't be wiped. ... > syskey was to EFS in W2K, ... >>> the private keys are protected however the key to the private key is ... >>> stronger encryption available for EFSfiles permanently if you don't. ...
      (microsoft.public.win2000.security)
    • Re: Corrupted Admin Profile
      ... > My view on EFS: ... > Do not to use encryption unless you are in a domain and you know ... as well not having created a Recovery Agent (with backup of the ... > Q241201 How to Back Up Your Encrypting File System Private Key ...
      (microsoft.public.windowsxp.security_admin)
    • Re: efs and "encryption" overall... help?
      ... What I referred to was that the only way to make totally sure that the EFS ... encrypted files are safe is to export/delete the certificate and private key ... require the user to enter the password used to protect the private key. ... >> uses much stronger encryption to encrypt EFS files, ...
      (microsoft.public.windows.server.networking)
    • Re: Does W2K hold users email, EFS etc private key securely ?
      ... the location of private keys doesn't depend on how the Encrypted Data ... the file encryption key is not the public key. ... It is the FEK that is encrypted using the user's EFS public key, ... protect your EFS keys by limiting the success of password guessing or theft. ...
      (Focus-Microsoft)