EFS Security question

Hello

I have been researching EFS for about a week now...
I have to secure the information contained in our SQL2000 server, so that if someone where to manage to steal the server itself, they would be unable to access the very confidential information contained in the database

Here are a few questions I have a hard time finding a clear answer to... Any help would be much appreciated

Assume that the machine is part of a domain, and that syskey is enabled with the passphrase option
1) If someone steals the machine, would they be able to use hacking tools to access locally stored credentials that would let them de-encrypt our files?

Now let's say a user forget their passwords and the domain admin resets it. I have read that all FEK for that users are regenerated so that the user will be able to access all their encrypted files (this is possible because of a Domain Master Key or something like that
2) If someone where to steal both the SQLServer and the Domain server (that's the worst case scenario that I need to evaluate), then use a hacking tool to reset the domain admin password (on the domain server)... would the master key still be available to that "bad evil" domain admin? If that compromised domain admin were to change the password of our SQL server User, would the FEK be updated, thus giving the hacker access to the databases
3) Is there any way to have that master key taken off the domain server (and stored on removable media for when we really need it)

Thank

Drew
Mon Mar 01 18:32:22 CST 2004

1) There are a series of keys stored in the user profile, one encrypting the
next. Ultimately, these are encrypted using the user SID and password.
It's easy to find a user's SID in their profile. And it is possible to
crack their password to decrypt the keys. A strong password is the best
defense.

2) A password reset will not allow an attacker to decrypt the key I
mentioned in #1.

3) You can use a roaming profile/redirected AppData and delete the local
copy of the user profile on logoff, but if the attacker reaches your machine
while the account is logged in, that won't be an option. Though I haven't
personally tried it, I believe you could also have the user profile on
removable media (something like a zip disk that can read and write). You
wouldn't be able to use that account without the media in the drive, though,
so I'm still not sure that solves your problem.

Could you describe your threat model in detail? It might be more helpful to
describe the mitigation techniques we offer against different threats.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


"JDBrochu" <jdbrochu@remove_this.jdit.ca> wrote in message
news:5893A56D-6889-4195-940A-3CEF4947173E@microsoft.com...
> Hello,
>
> I have been researching EFS for about a week now...
> I have to secure the information contained in our SQL2000 server, so that
if someone where to manage to steal the server itself, they would be unable
to access the very confidential information contained in the database.
>
> Here are a few questions I have a hard time finding a clear answer to...
Any help would be much appreciated.
>
> Assume that the machine is part of a domain, and that syskey is enabled
with the passphrase option.
> 1) If someone steals the machine, would they be able to use hacking tools
to access locally stored credentials that would let them de-encrypt our
files?
>
>
> Now let's say a user forget their passwords and the domain admin resets
it. I have read that all FEK for that users are regenerated so that the user
will be able to access all their encrypted files (this is possible because
of a Domain Master Key or something like that)
> 2) If someone where to steal both the SQLServer and the Domain server
(that's the worst case scenario that I need to evaluate), then use a hacking
tool to reset the domain admin password (on the domain server)... would the
master key still be available to that "bad evil" domain admin? If that
compromised domain admin were to change the password of our SQL server User,
would the FEK be updated, thus giving the hacker access to the databases?
> 3) Is there any way to have that master key taken off the domain server
(and stored on removable media for when we really need it).
>
> Thanks
>

S
Tue Mar 02 05:37:38 CST 2004

In your scenario, using syskey with startup floppy disk will reduce the risk
to minimum - that avoids exposure of the system key and perhaps avoids the
risk of bruteforcing the SQL Server service account password. Also use
Windows Server 2003 for your database, as EFS has weaknesses in W2K. I hope
Microsoft folk will correct me if I'm wrong here.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"JDBrochu" <jdbrochu@remove_this.jdit.ca> wrote in message
news:5893A56D-6889-4195-940A-3CEF4947173E@microsoft.com...
> Hello,
>
> I have been researching EFS for about a week now...
> I have to secure the information contained in our SQL2000 server, so that
if someone where to manage to steal the server itself, they would be unable
to access the very confidential information contained in the database.
>
> Here are a few questions I have a hard time finding a clear answer to...
Any help would be much appreciated.
>
> Assume that the machine is part of a domain, and that syskey is enabled
with the passphrase option.
> 1) If someone steals the machine, would they be able to use hacking tools
to access locally stored credentials that would let them de-encrypt our
files?
>
>
> Now let's say a user forget their passwords and the domain admin resets
it. I have read that all FEK for that users are regenerated so that the user
will be able to access all their encrypted files (this is possible because
of a Domain Master Key or something like that)
> 2) If someone where to steal both the SQLServer and the Domain server
(that's the worst case scenario that I need to evaluate), then use a hacking
tool to reset the domain admin password (on the domain server)... would the
master key still be available to that "bad evil" domain admin? If that
compromised domain admin were to change the password of our SQL server User,
would the FEK be updated, thus giving the hacker access to the databases?
> 3) Is there any way to have that master key taken off the domain server
(and stored on removable media for when we really need it).
>
> Thanks
>

Drew
Tue Mar 02 16:00:30 CST 2004

You're right - offline syskey will help, too.
Win2k with latest service packs/patches should have any known security bugs
fixed.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:uWy2GrEAEHA.2516@TK2MSFTNGP11.phx.gbl...
> In your scenario, using syskey with startup floppy disk will reduce the
risk
> to minimum - that avoids exposure of the system key and perhaps avoids the
> risk of bruteforcing the SQL Server service account password. Also use
> Windows Server 2003 for your database, as EFS has weaknesses in W2K. I
hope
> Microsoft folk will correct me if I'm wrong here.
>
> --
> Svyatoslav Pidgorny, MVP, MCSE
> -= F1 is the key =-
>
> "JDBrochu" <jdbrochu@remove_this.jdit.ca> wrote in message
> news:5893A56D-6889-4195-940A-3CEF4947173E@microsoft.com...
> > Hello,
> >
> > I have been researching EFS for about a week now...
> > I have to secure the information contained in our SQL2000 server, so
that
> if someone where to manage to steal the server itself, they would be
unable
> to access the very confidential information contained in the database.
> >
> > Here are a few questions I have a hard time finding a clear answer to...
> Any help would be much appreciated.
> >
> > Assume that the machine is part of a domain, and that syskey is enabled
> with the passphrase option.
> > 1) If someone steals the machine, would they be able to use hacking
tools
> to access locally stored credentials that would let them de-encrypt our
> files?
> >
> >
> > Now let's say a user forget their passwords and the domain admin resets
> it. I have read that all FEK for that users are regenerated so that the
user
> will be able to access all their encrypted files (this is possible because
> of a Domain Master Key or something like that)
> > 2) If someone where to steal both the SQLServer and the Domain server
> (that's the worst case scenario that I need to evaluate), then use a
hacking
> tool to reset the domain admin password (on the domain server)... would
the
> master key still be available to that "bad evil" domain admin? If that
> compromised domain admin were to change the password of our SQL server
User,
> would the FEK be updated, thus giving the hacker access to the databases?
> > 3) Is there any way to have that master key taken off the domain server
> (and stored on removable media for when we really need it).
> >
> > Thanks
> >
>
>