The weaknesses of W2K EFS are as follows: 1. The default recovery agent for encrypted files is the W2K Administrator account. Therefore if you can compromise the Administrator account and login as the same you have access to ALL encrypted files. This compromise is very easily accomplished with Peter Nordahl's Linux boot disk. It can be found at: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html 2. Elcomsoft has developed a tool that locates and attempts to break/interpret the private keys being used for EFS in a GUI based tool. It can be found at: http://www.elcomsoft.com/aefsdr.html# 3. Yes both of these solutions require physical access to the affected PC but if we assume a stolen laptop with company proprietory data on it...... When we architected W2K for Wyeth we had high hopes for EFS. They were soon dashed because of the weaknesses listed above and in your email. EFS in XP does not share these weaknesses due to a change in how they handle their key pairs. Respectfully, Tom Bowers, CISSP Wyeth Pharamceuticals Lead Desktop & Firewall Engineer >>> Ryan Smith <ryansmithat_private> 6/26/2003 11:53:30 AM >>> After some research, I am considering rolling out an encryption solution based on win2k EFS. I know of one weakness, that encrypting a file that already exists will leave behind an insecurely deleted plaintext file. This means anyone with any decent forensics tool could bypass the OS and easily read it directly off the hard drive. It also transfers files insecurely across the network. SSL should solve for that. Does anyone know of any other major weaknesses in the EFS encryption, certificate handling, encryption, etc? For this group I'm particularly looking for areas of the hard drive that may contain hidden plaintext copies of normally encrypted documents. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 27 2003 - 06:25:20 PDT