csc and efs : how it is implemented ?

[kona]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello,
I'm searching technical informations about the couple CSC-EFS.
How are offline files encrypted ? Which, how private is assigned to the
file ?
Is it possible de recover un offline file ?
Any informations are welcome ?

Thanh's in advance.

 

[Poseidon]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The encryption of the CSC using EFS in Windows XP encrypts the CSC's
single database file with keys assigned to the LocalSystem account.

Background: the CSC is a single file, containing cached files for one
or more users; the file is mounted at bootup by the OS, and presents to
the user only the files that were cached for that user.

However, the contents of the CSC are accessible to anyone who can take
over the LocalSystem account, and anything encrypted in that context
could be decrypted (at least in theory - haven't tried it myself, but I
always assumed it *would* be possible) in that context as well.

The private key that decrypts the CSC (and thus all cached files
contained in the CSC) is stored in the LocalSystem profile.

Hope this helps.


--
Poseidon


------------------------------------------------------------------------
Poseidon's Profile: http://www.msusenet.com/member.php?userid=2027
View this thread: http://www.msusenet.com/t-1870516003

 

[kona]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thank you for your informations.
You wrote : CSC is a single file.
But when I take a look on the %systemroot%\csc is a lot of directory,
d1, d2, ... dn. Each of them have some files.
You wrote also : the file ..., and presents to the user only the files
that were cached for that user.
I did the following test :
I created a file with owner test1 and a second file with owner test2.
Both files can be accessible, open by the two accounts (online)
Now when I'm offline, and connected as test1 or test2, I can see the
both files into the offline folder. But I can only open the one I'm the
owner.
So, what make the access denied to the file I'm not the owner ?
With normal efs, it would be due to the personal private key added to
the header of the file. But in the case of offline folder (csc) ?
Is the access denied due to a special ACL only affected during the
offline mode ?

Regards

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

This may help to answer one of your questions:
http://www.microsoft.com/windowsxp/using/security/expert/encryptoffline.mspx
"A common database on the local machine is used to store all user files and
to limit access to those files through explicit access control lists (ACLs)."

Thanks.
Pat
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"kona" wrote:

> Thank you for your informations.
> You wrote : CSC is a single file.
> But when I take a look on the %systemroot%\csc is a lot of directory,
> d1, d2, ... dn. Each of them have some files.
> You wrote also : the file ..., and presents to the user only the files
> that were cached for that user.
> I did the following test :
> I created a file with owner test1 and a second file with owner test2.
> Both files can be accessible, open by the two accounts (online)
> Now when I'm offline, and connected as test1 or test2, I can see the
> both files into the offline folder. But I can only open the one I'm the
> owner.
> So, what make the access denied to the file I'm not the owner ?
> With normal efs, it would be due to the personal private key added to
> the header of the file. But in the case of offline folder (csc) ?
> Is the access denied due to a special ACL only affected during the
> offline mode ?
>
> Regards
>
>