Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 060403.html (Request Expert securityfocus.com Support)

RE: looking for EFS weaknesses

From: Netprouk Services <Netprouk(at)netprouk.com>
Date: Fri Jun 27 2003 - 17:44:34 EDT


Hi All,

        Any EFS data can be recovered using the following method even if the original encryption key is deleted.

  1. Boot the machine that holds the EFS encrypted data into safe mode
  2. Log on to the machine as the local admin
  3. Take ownership of the EFS Data
  4. Replace the encryption key with the local admin encryption key
  5. Reboot the machine and log on as the local admin
  6. You can now access the EFS data

As there are a few ways to change the local admin password without knowing the original password I think it can be said that in instances where a person has physical access to the machine any EFS data held on the physical machine must be classed as vulnerable.

Regards

  Jason Normanton

Jason Normanton

Senior Consultant (Directory Services)

Netprouk

Do you need help?X

http://www.NetProUK.Com

Jason@Netprouk.com

-----Original Message-----
From: Roger A. Grimes [mailto:rogerg@cox.net] Sent: 27 June 2003 14:15
To: Ryan Smith; forensics@securityfocus.com

Randy, I believe the first problem you mention was fixed long ago in a service pack. It does not store a plaintext copy on the hard drive anymore.

The only problem I know about it is that on XP computers not belonging to a domain, the user's password is tied to the keys, so that if the user's password is changed or lost, the file will become unrecoverable to even the recovery agent.

Roger 

*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg@cox.net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*
http://www.oreilly.com/catalog/malmobcode
****************************************************************************
*************
  • Original Message ----- From: "Ryan Smith" <ryansmith@mail.utexas.edu> To: <forensics@securityfocus.com> Sent: Thursday, June 26, 2003 11:53 AM Subject: looking for EFS weaknesses

>
>
> After some research, I am considering rolling out an encryption solution


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Jun 30 07:39:41 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT

Do you need more help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library