Re: Security of Win2k or WinXP built in EFS - continued from Meganet challenge
From: John M. Dlugosz (john_at_dlugosz.com)
Date: 09/27/03
- Next message: Roger Schlafly: "Re: controversial paper"
- Previous message: M.S. Bob: "Re: Human-answerable challenge response login"
- Maybe in reply to: Mack: "Re: Security of Win2k or WinXP built in EFS - continued from Meganet challenge"
- Next in thread: John M. Dlugosz: "Re: Security of Win2k or WinXP built in EFS - continued from Meganet challenge"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Sep 2003 22:58:53 -0700
"George Ou" <2038george_ou9127@2342netzero.com2897> wrote in message news:<WTrcb.2902$6L1.538@newssvr29.news.prodigy.com>...
> No, you're missing a huge point. You can't just run some little test where
> you go in as admin and reset the user account. That assumes you know the
> admin password. If you log in as admin, of course you can reset other
> people's passwords.
True, but that was not the point of the test. I agree that knowing
the password of some admin account pretty much defeats the point of
needing to break into anything.
My point is that:
1) the user's password was never entered, yet after changing it his
EFS still worked.
2) the password for "the" special Administrator account was never
entered.
I conclude that the most fundimental key information present on the
disk can be accessed without knowing either of those two passwords.
Specifically, (a) no password is needed, the information is meerly
hard to find but a utility could step through the disk structures and
find it; or (b) it's encrypted so that any of the passwords on any
account can unlock it, and that's updated as passwords are changed.
Obviously, b is better but I've never heard about any such system in
Windows.
Common lore is (a). That would mean that although nuking the SAM is
an easy way to get in, it is not =necessary=. Someone could write a
utility to find the information instead.
A little poking around and I found
<http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2002-02/0197.html>
. Also look up info on the syskey utility program.
(a) is indeed correct unless you configure SYSKEY to store the key on
a floppy or use a boot password. Then, the syskey key must be
presented when booting the computer or it cannot boot.
If, and only if this is done, are the EFS keys not readable by some
well-crafted boot disk.
--John
If you nuke the SAM file, the admin password is set to
> NULL so you can log in as admin. BUT, nuking the SAM file also nukes all
> other user accounts. So there ARE NO OTHER USER accounts you can reset.
> All the other user accounts are lost unless you backed up the SAM file. The
> bottom line is, you have to crack the password by running L0pht against the
> SAM. You should have a strong password for both the Admin and your user
> accounts and if you don't, no security solution is going to protect you no
> matter how good it is. You must also delete the private key of the Admin
> after you offload it to a safe place. Domain users need not worry about
> that.
>
> This is NOT a fundamental EFS weakness. This is a deployment issue.
> Nothing will help you if you don't use strong passwords.
>
> George Ou
- Next message: Roger Schlafly: "Re: controversial paper"
- Previous message: M.S. Bob: "Re: Human-answerable challenge response login"
- Maybe in reply to: Mack: "Re: Security of Win2k or WinXP built in EFS - continued from Meganet challenge"
- Next in thread: John M. Dlugosz: "Re: Security of Win2k or WinXP built in EFS - continued from Meganet challenge"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
