Re: EFS Private Keys
From: Steven Umbach (n9zrou_at_nscomcast.com)
Date: 12/30/03
- Next message: anonymous_at_discussions.microsoft.com: "How DC user connect"
- Previous message: Drew Cooper [MSFT]: "Re: EFS Private Keys"
- In reply to: Drew Cooper [MSFT]: "Re: EFS Private Keys"
- Next in thread: Drew Cooper [MSFT]: "Re: EFS Private Keys"
- Reply: Drew Cooper [MSFT]: "Re: EFS Private Keys"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Dec 2003 04:14:25 GMT
Hi Drew.
Thanks a bunch for the information. I was not sure about the impact of using
syskey was to EFS in W2K, that is good to know. Is there much of a risk in
plaintext copies of files that are created and then directly saved into an
encrypted folder [as per best practices] such as from Excel or Word assuming the
users temporary folder is also encrypted? Thanks -- Steve
"Drew Cooper [MSFT]" <dcoop@online.microsoft.com> wrote in message
news:eC0iaXozDHA.3468@TK2MSFTNGP11.phx.gbl...
> Steven - you pretty much covered everything, but I wanted to add a few
> comments:
>
> Resetting the password doesn't work if offline syskey is used. I believe we
> fixed that in Win2k SP1. (Yeah - hardly anyone uses syskey in password or
> floppy mode, but there is still a means of mitigation.) The one hole that
> remained was anything encrypted in machine context. It's trivial to "become
> the machine" with physical access, so anything encrypted in machine context
> is for all practical purposes still plaintext. This same exploit exists on
> XP and Windows 2003.
>
> Plaintext detritus can exist on the hard drive for files that were
> originally plaintext then converted to encrypted files. "cipher /w" does a
> good job of cleaning up the old plaintext, but be warned that it is only a
> "best effort" as is any other disk-scrubbing tool that runs from within the
> OS. Any clusters that are in use can't be scrubbed. Those clusters may
> contain some of the plaintext.
>
> Ultimately the encrypted files are as secure as a user's password. A strong
> password (or using a smartcard for logon) is important to ensure that EFS
> isn't easily cracked.
> --
> Drew Cooper [MSFT]
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:QDmHb.672951$Tr4.1688097@attbi_s03...
> > The user and recovery agent private EFS keys are stored in the associated
> user
> > profile and available through the mmc certificate snapin. As other posts
> described
> > the private keys are protected however the key to the private key is the
> user's
> > password, so ultimately the private key is only as secure as the user's
> password as
> > long as it is still on the computer. Worse yet, in W2K a users password
> can be reset
> > by someone gaining administrator access or if the administrator's password
> could be
> > reset , and assuming it is the recovery agent on a non domain machine,
> then access
> > could be gained to the user/recovery agent account and hence access to the
> EFS
> > encrypted files. It is a very trivial process to reset the administrator's
> password
> > on a W2K machine with free software from the internet.
> >
> > XP Pro, improved security by not requiring or creating a recovery agent by
> default
> > and also by not allowing access to a user's EFS private key if the
> password was
> > "reset" as can be done in Computer Management/local users and groups by
> accessing a
> > user account and resetting it where the current password does not need to
> be known to
> > an administrator. That may not stop someone with physical access from
> cracking a
> > user's password with a program such as LC 4
> http://www.atstake.com/products/lc/ and
> > then gaining access to encrypted EFS files.
> >
> > To protect your EFS files when physical security can not be assured, a
> user needs to
> > export and delete their private EFS key and that of any recovery agent on
> the local
> > computer and secure them away from the computer. When that is done the EFS
> files are
> > secure for most intents and purposes by today's standards and XP pro even
> has much
> > stronger encryption available for EFSfiles permanently if you don't. See
> > the links below for more info. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
> > http://is-it-true.org/nt/nt2000/atips/atips24.shtml
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;315672
> >
> >
> > "Robert" <bwooster1.nospam@yahoo.com> wrote in message
> > news:OM7pCLDzDHA.1740@TK2MSFTNGP12.phx.gbl...
> > > I understand that in W2K the FEK is protected by the user's private key.
> > > All well and good, but where is the private key stored, and how is *it*
> > > protected??? I assume it is stored on disk or in the registry
> someplace.
> > > Is there some super-secret OS key that is used to protect all private
> keys?
> > >
> > > Can anyone explain it in such a way that you don't have to be a MCSE to
> > > understand it?
> > >
> > > Thanks for any clarity.
> > >
> > > Bob
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>
- Next message: anonymous_at_discussions.microsoft.com: "How DC user connect"
- Previous message: Drew Cooper [MSFT]: "Re: EFS Private Keys"
- In reply to: Drew Cooper [MSFT]: "Re: EFS Private Keys"
- Next in thread: Drew Cooper [MSFT]: "Re: EFS Private Keys"
- Reply: Drew Cooper [MSFT]: "Re: EFS Private Keys"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
