Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 060402.html (Request Expert securityfocus.com Support)

Re: looking for EFS weaknesses

From: Levinson, Karl <LevinsonK(at)STARS-SMI.com>
Date: Fri Jun 27 2003 - 15:02:00 EDT


Do note that AFAIK, resetting the local Administrator password only defeats EFS in Windows 2000 if the machine is not joined to a Windows 2000 domain. I believe that machines that are part of a Windows 2000 domain do not have this vulnerability. Using SYSKEY to change the Windows boot options can help lessen the risk that someone can reset the Administrator password and thus start to make EFS more secure [though the other options require entering a password or using a floppy at every bootup, both of which might be annoying to some users].

There are a number of things you want to do if you want EFS to be secure. Most of these are published at Microsoft.com. One notable thing to do is to always export and keep a backup copy of the user keys in a secure place so that a hard drive crash or Windows crash does not make all the files unusable garbage.

The site below has links to a wide variety of articles on EFS, including Microsoft guides to securely implementing EFS and third party sites pointing out EFS weaknesses. I highly recommend reading these articles before implementing EFS:

http://securityadmin.info/faq.htm#efs

Another thing to consider is that EFS is only intended to encrypt data files, not system or Windows files. In some environments, it may be preferable to use a third party solution that encrypts the entire hard drive, since some system files can contain potentially sensitive data. A short list of some other encryption programs you might consider are listed here:

http://securityadmin.info/faq.htm#encryption

Here's another link relating to EFS vulnerabilities:

http://www.beginningtoseethelight.org/efsrecovery/

Do you need help?X

HTH kind regards,

  • karl

-----Original Message-----
From: Tom Bowers [mailto:bowerst@wyeth.com] Sent: Friday, June 27, 2003 9:20 AM
To: Ryan Smith; forensics@securityfocus.com Subject: [despammed] Re: looking for EFS weaknesses

The weaknesses of W2K EFS are as follows:

  1. The default recovery agent for encrypted files is the W2K Administrator account. Therefore if you can compromise the Administrator account and login as the same you have access to ALL encrypted files. This compromise is very easily accomplished with Peter Nordahl's Linux boot disk. It can be found at:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Jun 30 07:35:20 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library