This was posted to ntsecurity.net by Thomas S. V. Bartlett III <Tbartlettat_private>. ____________________________________________ The following was taken from Microsoft's reply regarding our document on EFS - ---------------------------- From: Microsoft Product Security Response Team [mailto:secureat_private] Sent: Tuesday, July 27, 1999 6:20 PM Subject: RE: Windows 2000 Encrypting File System (EFS) Vulnerability The problem with the attack that you outlined is that the user has to have left the recovery key on the machine in order for it to be compromised. The help files for EFS recommend that the recovery key be exported for just this reason. Administrator accounts are sometimes compromised, even if only because the admin chose a really weak password; because of the importance of the EFS recovery key, it's very important that the private key be physically separated from the machine. In addition, your scenario uses the default recovery policy, which specifies the local administrator as the recovery agent. However, in any networked configuration, the first thing that should have been done was to change the recovery policy to make the domain administrator (or some other domain authority) the recovery agent. This is the more likely operational use of EFS -- a central domain authority having the ability to recover encrypted files that were generated by any domain user. The advantage it would have in the specific scenario you described is that the recovery agent's private key would once again not be present on the machine. Finally, we recommend using SYSKEY to strongly protect the SAM and other security-relevant information. If this had been done, it would not have been possible to compromise the machine by simply deleting the SAM -- the attacker would have been prompted at boot time for the SYSKEY key, which (if good practices have been followed) would not be on the machine. " Secureat_private ---------------------- Thanks to all those who commented on this situation. Thomas S. V. Bartlett III Network Engineer TBartlett_iiiat_private ____________________________________________ Ben Greenbaum SecurityFocus www.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:04 PDT