Microsoft's Reply regarding EFS

From: Ben Greenbaum (bengat_private)
Date: Wed Jul 28 1999 - 18:42:07 PDT

Next message: Microsoft Product Security Response Team: "Windows 2000 Encrypting File System Security"

Previous message: Wanderley J. Abreu Junior: "Yet Another ODBC Bugged ASP Sample Page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This was posted to ntsecurity.net by Thomas S. V. Bartlett III
<Tbartlettat_private>.
____________________________________________




The following was taken from Microsoft's reply regarding our document on
EFS -


  ----------------------------
  From: Microsoft Product Security Response Team
  [mailto:secureat_private]
  Sent: Tuesday, July 27, 1999 6:20 PM
  Subject: RE: Windows 2000 Encrypting File System (EFS) Vulnerability


  The problem with the attack that you outlined is that the user has to
have left the recovery key on the machine in order for it to be compromised.
The help files for EFS recommend that the recovery key be exported for just
this reason. Administrator accounts are sometimes compromised, even if only
because the admin chose a really weak password; because of the importance
of the EFS recovery key, it's very important that the private key be
physically separated from the machine.

  In addition, your scenario uses the default recovery policy, which
specifies the local administrator as the recovery agent. However, in any
networked configuration, the first thing that should have been done was to change
the recovery policy to make the domain administrator (or some other
domain authority) the recovery agent. This is the more likely operational use
of EFS -- a central domain authority having the ability to recover
encrypted files that were generated by any domain user. The advantage it would
have in the specific scenario you described is that the recovery agent's
private key would once again not be present on the machine.

  Finally, we recommend using SYSKEY to strongly protect the SAM and
other security-relevant information. If this had been done, it would not
have been possible to compromise the machine by simply deleting the SAM --
the attacker would have been prompted at boot time for the SYSKEY key, which
(if good practices have been followed) would not be on the machine. "


  Secureat_private

  ----------------------

  Thanks to all those who commented on this situation.

  Thomas S. V. Bartlett III
  Network Engineer
  TBartlett_iiiat_private


____________________________________________
Ben Greenbaum
SecurityFocus
www.securityfocus.com

Next message: Microsoft Product Security Response Team: "Windows 2000 Encrypting File System Security"
Previous message: Wanderley J. Abreu Junior: "Yet Another ODBC Bugged ASP Sample Page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:04 PDT