EFS and laptops

This is a newbie laptop EFS question. So please bear with me.

EFS is seemingly weak from what I know and am experiencing. The DRA
component is excellent since the priv key can be exported and only
imported as needed; thereby making the DRA pub key on a laptop useless.

When encrypting a file, a pub/priv key pair is automatically created
within my user profile and used/needed for encrypt/decrypt respectively.
Logging on as admin is not enough to read the data if encrypted with
my Sammy account. To decrypt the Sammy-encrypted data, one need only
crack into the Sammy account to utilize its keys.

Therefore, I see EFS to be only as strong as the WinXP logon
credentials. On a stolen laptop, one can easily boot via CD/floppy to
run brute force attacks and other cracking software against the SAM to
get Sammy's passwd. Once obtained, a hacker and thief as well, logs on
as Sammy to utilize the keys within his profile for decryption.

Where is the strength in that? To overcome the aforementioned, I've
simply exported Sammy's key pair onto a floppy and deleting the priv key
on the system afterward, upon logging off. Should anyone, including
**myself**, log on as Sammy either legitimately or not afterwards, they
cannot decrypt. So as a legit user, I just import the key pair from the
floppy, but this is so cumbersome to export/import after each log off to
avoid my aforementioned weakness in EFS on a laptop.

Can someone please show me what I am missing about EFS?

Thank you.
//S.U.

Lionel
Tue Dec 27 11:18:05 CST 2005

"Shion Uzuki" <shion@example.com> a écrit dans le message de news:
43b1704e$0$58051$742ec2ed@news.sonic.net...
> Therefore, I see EFS to be only as strong as the WinXP logon credentials.
> On a stolen laptop, one can easily boot via CD/floppy to run brute force
> attacks and other cracking software against the SAM to get Sammy's passwd.
> Once obtained, a hacker and thief as well, logs on as Sammy to utilize the
> keys within his profile for decryption.

This part may not be as easy as you think, if you set up your system
correctly (strong passwords, no LM hashes, syskey).

Roger
Tue Dec 27 11:56:58 CST 2005

You are missing nothing about EFS.

Basically a system and what is stored on it are only as
well protected as the system is configured and kept out
of the hands of untrusted people.

Given physical access and time pretty much any system
that predates full-disk encryption will fall under the scenario
you have presented. Pretty much any data file encryption
software and OS have issues with the type of things you
have outlined.

Newer ways of storing EFS certs on USB diskkeys
and/or smartcards are helping some, relative to convenience
for your strategy of separating EFS priv key from the machine.
The real (or at least current) answer to the "computer in hands
of attacker" is only now coming to market due to industry
initiatives. With full disk encryption and EFS within one has a
more well hardened solution to the lost laptop situation.

"Shion Uzuki" <shion@example.com> wrote in message
news:43b1704e$0$58051$742ec2ed@news.sonic.net...
>
> This is a newbie laptop EFS question. So please bear with me.
>
> EFS is seemingly weak from what I know and am experiencing. The DRA
> component is excellent since the priv key can be exported and only
> imported as needed; thereby making the DRA pub key on a laptop useless.
>
> When encrypting a file, a pub/priv key pair is automatically created
> within my user profile and used/needed for encrypt/decrypt respectively.
> Logging on as admin is not enough to read the data if encrypted with my
> Sammy account. To decrypt the Sammy-encrypted data, one need only crack
> into the Sammy account to utilize its keys.
>
> Therefore, I see EFS to be only as strong as the WinXP logon credentials.
> On a stolen laptop, one can easily boot via CD/floppy to run brute force
> attacks and other cracking software against the SAM to get Sammy's passwd.
> Once obtained, a hacker and thief as well, logs on as Sammy to utilize the
> keys within his profile for decryption.
>
> Where is the strength in that? To overcome the aforementioned, I've
> simply exported Sammy's key pair onto a floppy and deleting the priv key
> on the system afterward, upon logging off. Should anyone, including
> **myself**, log on as Sammy either legitimately or not afterwards, they
> cannot decrypt. So as a legit user, I just import the key pair from the
> floppy, but this is so cumbersome to export/import after each log off to
> avoid my aforementioned weakness in EFS on a laptop.
>
> Can someone please show me what I am missing about EFS?
>
> Thank you.
> //S.U.

Roger
Tue Dec 27 12:18:45 CST 2005

Let me add one other thing.

There are those who argue that the era of passwords
as a form for claiming identity are over.

I notice that the key to your scenario is access to the
existing password of the Sammy account.

While passwords can be well over 200 characters long,
made to include spaces, unicode alt-key combo chars,
etc. we do not see people using their favorite haiku as
a passcode, but rather we see things like 11111 and
variations on their spouse's name.

If nothing else, that human inertia tends to make me also
a believer that passwords are passe as a mean of gating
access to computing systems.

Now, that Windows still defaults to storing LM hashes
is something beyond me, and is something changeable.
I mean, store passwords for types of systems that do
not really exist in any appreciable sense/quantity any
longer ?? (sorry IBM shops out there).
But, as Lionel pointed out, if you disable this, and use
strong passwords, your scenario is less simple than it
might seem.


"Shion Uzuki" <shion@example.com> wrote in message
news:43b1704e$0$58051$742ec2ed@news.sonic.net...
>
> This is a newbie laptop EFS question. So please bear with me.
>
> EFS is seemingly weak from what I know and am experiencing. The DRA
> component is excellent since the priv key can be exported and only
> imported as needed; thereby making the DRA pub key on a laptop useless.
>
> When encrypting a file, a pub/priv key pair is automatically created
> within my user profile and used/needed for encrypt/decrypt respectively.
> Logging on as admin is not enough to read the data if encrypted with my
> Sammy account. To decrypt the Sammy-encrypted data, one need only crack
> into the Sammy account to utilize its keys.
>
> Therefore, I see EFS to be only as strong as the WinXP logon credentials.
> On a stolen laptop, one can easily boot via CD/floppy to run brute force
> attacks and other cracking software against the SAM to get Sammy's passwd.
> Once obtained, a hacker and thief as well, logs on as Sammy to utilize the
> keys within his profile for decryption.
>
> Where is the strength in that? To overcome the aforementioned, I've
> simply exported Sammy's key pair onto a floppy and deleting the priv key
> on the system afterward, upon logging off. Should anyone, including
> **myself**, log on as Sammy either legitimately or not afterwards, they
> cannot decrypt. So as a legit user, I just import the key pair from the
> floppy, but this is so cumbersome to export/import after each log off to
> avoid my aforementioned weakness in EFS on a laptop.
>
> Can someone please show me what I am missing about EFS?
>
> Thank you.
> //S.U.

Steven
Tue Dec 27 12:49:16 CST 2005

As long as the EFS private key is on the computer there is a potential
vulnerability to access to files. For domain users logging on with cached
domain credentials the likelihood of retrieving the domain user password is
extremely remote last I heard as that password is not stored in SAM and is
encrypted very securely. Another thing you could do for a non domain user
account if you are also a local administrator for XP Pro is to "reset" your
user password before you logoff using lusrmgr.msc and then change it back to
what it was after you logon again. That may be more convenient than
exporting and deleting/and importing the EFS private key. Of course that
assumes that an attacker has not installed a keyboard logger on your
computer to capture our credentials. --- Steve


"Shion Uzuki" <shion@example.com> wrote in message
news:43b1704e$0$58051$742ec2ed@news.sonic.net...
>
> This is a newbie laptop EFS question. So please bear with me.
>
> EFS is seemingly weak from what I know and am experiencing. The DRA
> component is excellent since the priv key can be exported and only
> imported as needed; thereby making the DRA pub key on a laptop useless.
>
> When encrypting a file, a pub/priv key pair is automatically created
> within my user profile and used/needed for encrypt/decrypt respectively.
> Logging on as admin is not enough to read the data if encrypted with my
> Sammy account. To decrypt the Sammy-encrypted data, one need only crack
> into the Sammy account to utilize its keys.
>
> Therefore, I see EFS to be only as strong as the WinXP logon credentials.
> On a stolen laptop, one can easily boot via CD/floppy to run brute force
> attacks and other cracking software against the SAM to get Sammy's passwd.
> Once obtained, a hacker and thief as well, logs on as Sammy to utilize the
> keys within his profile for decryption.
>
> Where is the strength in that? To overcome the aforementioned, I've
> simply exported Sammy's key pair onto a floppy and deleting the priv key
> on the system afterward, upon logging off. Should anyone, including
> **myself**, log on as Sammy either legitimately or not afterwards, they
> cannot decrypt. So as a legit user, I just import the key pair from the
> floppy, but this is so cumbersome to export/import after each log off to
> avoid my aforementioned weakness in EFS on a laptop.
>
> Can someone please show me what I am missing about EFS?
>
> Thank you.
> //S.U.

Shion
Tue Dec 27 15:52:59 CST 2005


Thank you everyone for reassuring that this newbie, yours truly, has a
basic understanding of EFS and wasn't overlooking something major about
this important file system security feature. It doesn't appear to be
the best but is an extra security measure of worth when deployed
properly with other measures.

Maybe 2-factor authentication for the Sammy account with EFS, in
addition to the others mentioned by Lionel, is more than adequate for
the enterprise. At this point, my focus is on the securing of sensitive
data for HIPAA compliance, which focuses on private medical records,
IMHO anyway, is of more criticality than most business data.

Again, thank you everyone.

//S.U.

Ian
Tue Dec 27 16:33:24 CST 2005

The other aspect is that the more secure any system is, the greater the risk
of accidental self-lockout, and the less likely any remedy to such a
situation exists.

Therefore the relative advantages/drawbacks of any security system have to
be balanced: Is the risk of data loss through operator-error acceptable in
view of the need for additional security, or would it be preferable to accept
a lower level of security if this also means less likelihood of data being
lost?

I'm not saying EFS shouldn't be used, what I am saying is do make sure you
understand what you are dealing with. Far too many people don't appreciate
that this is no token gesture, it is real security, and end-up losing data as
a result of carelessness/forgetfulness.

alun
Tue Dec 27 23:06:34 CST 2005

In article <#HIe7YxCGHA.3976@TK2MSFTNGP10.phx.gbl>, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:
>As long as the EFS private key is on the computer there is a potential
>vulnerability to access to files. For domain users logging on with cached
>domain credentials the likelihood of retrieving the domain user password is
>extremely remote last I heard as that password is not stored in SAM and is
>encrypted very securely.

Note that "the EFS private key is on the computer" in an encrypted form,
encrypted by the password that was used to access the account - if the account
password is not in storage that you can get to, neither is the EFS private
key.

> Another thing you could do for a non domain user
>account if you are also a local administrator for XP Pro is to "reset" your
>user password before you logoff using lusrmgr.msc and then change it back to
>what it was after you logon again. That may be more convenient than
>exporting and deleting/and importing the EFS private key. Of course that
>assumes that an attacker has not installed a keyboard logger on your
>computer to capture our credentials. --- Steve

Yeah - physical security is essential. Whole-disk encryption may prove to be
a help in that area, but I have yet to evaluate it myself.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Lionel
Thu Dec 29 12:24:42 CST 2005

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> a écrit dans le message de news:
%23PAVeIxCGHA.2704@TK2MSFTNGP11.phx.gbl...
> Now, that Windows still defaults to storing LM hashes
> is something beyond me, and is something changeable.
> I mean, store passwords for types of systems that do
> not really exist in any appreciable sense/quantity any
> longer ?? (sorry IBM shops out there).

Indeed. Do you known whether LM hashes are still stored by default in Vista?

andy1963
Thu Mar 02 17:17:30 CST 2006

Have I missed something here? If a thief/hacker has got possession of the
laptop and somehow manages to gain Administrator access, letâ??s assume that
they change the password on the target userâ??s account. Cant they then login
as that user and have full access to the users encrypted data.? Is any
other credential checking performed on EFS encrypted folders once the user
has logged in?

Iâ??ll try and test this, but it seems to be the easiest way of doing it.

Comments?

Andy1963


"Shion Uzuki" wrote:

>
> Thank you everyone for reassuring that this newbie, yours truly, has a
> basic understanding of EFS and wasn't overlooking something major about
> this important file system security feature. It doesn't appear to be
> the best but is an extra security measure of worth when deployed
> properly with other measures.
>
> Maybe 2-factor authentication for the Sammy account with EFS, in
> addition to the others mentioned by Lionel, is more than adequate for
> the enterprise. At this point, my focus is on the securing of sensitive
> data for HIPAA compliance, which focuses on private medical records,
> IMHO anyway, is of more criticality than most business data.
>
> Again, thank you everyone.
>
> //S.U.
>

Roger
Thu Mar 02 18:58:15 CST 2006

Yes in Windows 2000, they would get access to the EFS "protected" data.
No in Windows XP and later, they would NOT get access to the EFS
protected data. With XP a new method of storing the private data was
brought into use (dpapi) which does not allow access to private data
(which is needed to get to the decryption key) if the password has been
reset to a different value.

"andy1963" <andy1963@discussions.microsoft.com> wrote in message
news:22F2809E-9558-44C6-A326-8646580290B3@microsoft.com...
> Have I missed something here? If a thief/hacker has got possession of the
> laptop and somehow manages to gain Administrator access, let's assume that
> they change the password on the target user's account. Cant they then
> login
> as that user and have full access to the users encrypted data.? Is any
> other credential checking performed on EFS encrypted folders once the user
> has logged in?
>
> I'll try and test this, but it seems to be the easiest way of doing it.
>
> Comments?
>
> Andy1963
>
>
> "Shion Uzuki" wrote:
>
>>
>> Thank you everyone for reassuring that this newbie, yours truly, has a
>> basic understanding of EFS and wasn't overlooking something major about
>> this important file system security feature. It doesn't appear to be
>> the best but is an extra security measure of worth when deployed
>> properly with other measures.
>>
>> Maybe 2-factor authentication for the Sammy account with EFS, in
>> addition to the others mentioned by Lionel, is more than adequate for
>> the enterprise. At this point, my focus is on the securing of sensitive
>> data for HIPAA compliance, which focuses on private medical records,
>> IMHO anyway, is of more criticality than most business data.
>>
>> Again, thank you everyone.
>>
>> //S.U.
>>

alun
Thu Mar 02 22:13:07 CST 2006

In article <eGxaP2lPGHA.456@TK2MSFTNGP15.phx.gbl>, "Roger Abell [MVP]"
<mvpNoSpam@asu.edu> wrote:
>Yes in Windows 2000, they would get access to the EFS "protected" data.
>No in Windows XP and later, they would NOT get access to the EFS
>protected data. With XP a new method of storing the private data was
>brought into use (dpapi) which does not allow access to private data
>(which is needed to get to the decryption key) if the password has been
>reset to a different value.

.. and the way it does that is to use the password (and other information) to
derive a key that is used to encrypt the data stored in the DPAPI. So, unless
you know the password, you can't get into DPAPI to get the key for the EFS
data.

However, you may be able to crack the password from the data on the hard-drive
by connecting that hard-drive to another machine and playing with forensics
tools on the drive.

In Windows Vista (coming real soon now!), this would be a reason to use the
BitLocker software, which encrypts the entire disk. There are other tools
that encrypt the whole disk, too, that you might investigate. At work we use
one from PGP.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Roger
Fri Mar 03 00:18:09 CST 2006

Yeah, I am still looking at what new motherboard, processor, etc. I am
needing to pony up for so I can support use of BitLocker :-)

"Alun Jones" <alun@texis.invalid> wrote in message
news:t4Kdndo34cfOX5rZRVn-sQ@comcast.com...
> In article <eGxaP2lPGHA.456@TK2MSFTNGP15.phx.gbl>, "Roger Abell [MVP]"
> <mvpNoSpam@asu.edu> wrote:
>>Yes in Windows 2000, they would get access to the EFS "protected" data.
>>No in Windows XP and later, they would NOT get access to the EFS
>>protected data. With XP a new method of storing the private data was
>>brought into use (dpapi) which does not allow access to private data
>>(which is needed to get to the decryption key) if the password has been
>>reset to a different value.
>
> .. and the way it does that is to use the password (and other information)
> to
> derive a key that is used to encrypt the data stored in the DPAPI. So,
> unless
> you know the password, you can't get into DPAPI to get the key for the EFS
> data.
>
> However, you may be able to crack the password from the data on the
> hard-drive
> by connecting that hard-drive to another machine and playing with
> forensics
> tools on the drive.
>
> In Windows Vista (coming real soon now!), this would be a reason to use
> the
> BitLocker software, which encrypts the entire disk. There are other tools
> that encrypt the whole disk, too, that you might investigate. At work we
> use
> one from PGP.
>
> Alun.
> ~~~~
>
> [Please don't email posters, if a Usenet response is appropriate.]
> --
> Texas Imperial Software | Find us at http://www.wftpd.com or email
> 23921 57th Ave SE | alun@wftpd.com.
> Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

andy1963
Fri Mar 03 02:28:27 CST 2006

Thank you all for responding. I now have a better understanding of how EFS
works and its capabilities. Theres always more to learn!

Regards,

Andy1963

"Byron Hynes [MS]" wrote:

> You should use domain accounts, not local ones, for best protection.
>
> You might also want to read this article:
> http://www.microsoft.com/technet/community/columns/secmgmt/sm0205.mspx
>
>
> Byron Hynes
> Windows Server
> Microsoft Corporation
>
> http://spaces.msn.com/members/byronphynes
>
> > Have I missed something here? If a thief/hacker has got possession of
> > the laptop and somehow manages to gain Administrator access, letâ??s
> > assume that they change the password on the target userâ??s account.
> > Cant they then login as that user and have full access to the users
> > encrypted data.? Is any other credential checking performed on EFS
> > encrypted folders once the user has logged in?
> >
> > Iâ??ll try and test this, but it seems to be the easiest way of doing
> > it.
> >
> > Comments?
> >
> > Andy1963
> >
> > "Shion Uzuki" wrote:
> >
> >> Thank you everyone for reassuring that this newbie, yours truly, has
> >> a basic understanding of EFS and wasn't overlooking something major
> >> about this important file system security feature. It doesn't appear
> >> to be the best but is an extra security measure of worth when
> >> deployed properly with other measures.
> >>
> >> Maybe 2-factor authentication for the Sammy account with EFS, in
> >> addition to the others mentioned by Lionel, is more than adequate for
> >> the enterprise. At this point, my focus is on the securing of
> >> sensitive data for HIPAA compliance, which focuses on private medical
> >> records, IMHO anyway, is of more criticality than most business data.
> >>
> >> Again, thank you everyone.
> >>
> >> //S.U.
> >>
>
>
>