Do note that AFAIK, resetting the local Administrator password only defeats EFS in Windows 2000 if the machine is not joined to a Windows 2000 domain. I believe that machines that are part of a Windows 2000 domain do not have this vulnerability. Using SYSKEY to change the Windows boot options can help lessen the risk that someone can reset the Administrator password and thus start to make EFS more secure [though the other options require entering a password or using a floppy at every bootup, both of which might be annoying to some users]. There are a number of things you want to do if you want EFS to be secure. Most of these are published at Microsoft.com. One notable thing to do is to always export and keep a backup copy of the user keys in a secure place so that a hard drive crash or Windows crash does not make all the files unusable garbage. The site below has links to a wide variety of articles on EFS, including Microsoft guides to securely implementing EFS and third party sites pointing out EFS weaknesses. I highly recommend reading these articles before implementing EFS: http://securityadmin.info/faq.htm#efs Another thing to consider is that EFS is only intended to encrypt data files, not system or Windows files. In some environments, it may be preferable to use a third party solution that encrypts the entire hard drive, since some system files can contain potentially sensitive data. A short list of some other encryption programs you might consider are listed here: http://securityadmin.info/faq.htm#encryption Here's another link relating to EFS vulnerabilities: http://www.beginningtoseethelight.org/efsrecovery/ HTH kind regards, - karl -----Original Message----- From: Tom Bowers [mailto:bowerstat_private] Sent: Friday, June 27, 2003 9:20 AM To: Ryan Smith; forensicsat_private Subject: [despammed] Re: looking for EFS weaknesses The weaknesses of W2K EFS are as follows: 1. The default recovery agent for encrypted files is the W2K Administrator account. Therefore if you can compromise the Administrator account and login as the same you have access to ALL encrypted files. This compromise is very easily accomplished with Peter Nordahl's Linux boot disk. It can be found at: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 04:21:22 PDT