Hosting Provided By

Re: Attacking EFS through cached domain logon credentials

From: Todd Sabin <tsabin(at)razor.bindview.com>
Date: Fri Jan 24 2003 - 15:56:32 EST

"John Howie" <JHowie@securitytoolkit.com> writes:

I agree there's no bug here, if that's what you mean. Whether this is a 'weakness', risk, vulnerability, or whatever is mainly semantics. Let's just say it's a property of EFS that its encryption is no stronger than the user's password in the scenario I outlined.

The underlying point is that many organizations probably have password policies (complexity requirements and maximum password age) designed in part to mitigate the risk of the passwords being cracked before they expire (and become useless). Often, maximum age is in the ballpark of 45 days.

The problem is that if someone has obtained a stolen laptop as I described, the user's password doesn't become useless when it expires unless the information in the files encrypted with EFS also becomes useless.

If you want to encrypt information that has long term value, you probably need to either seriously reevaluate your password complexity requirements, put smart cards or some other hardware into the mix (as you mentioned), or use something other than EFS.

-- 
Todd Sabin                                          
BindView RAZOR Team

Received on Fri Jan 24 17:22:33 2003

This message: [ Message body ]
Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #122"
Previous message: James D. Stallard: "RE: w2k server compromised"
In reply to John Howie: "RE: Attacking EFS through cached domain logon credentials"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:26 EDT