Sign in with
Sign up | Sign in
Your question

EFS- manipulated UserPassword

Tags:
Last response: in Windows 2000/NT
Share
Anonymous
October 26, 2004 8:29:40 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

using w2k on laptos we would like to keep there some sensible data too.
Searching for a solution EFS looked fine till I found the EFS backdoor
problem mentioned in 2002.
Where booting from a floppy, changing the password of the user (using
certain programms) grants access to the encrypted directories and files
too...

I did not find any article about this problem (the only link I found, is
worthless because of the new structure of MS-homepage...)
I did not find any information searching for patches and within the service
packs.
Has the problem not been solved yet? If it has been solved, where can I find
the solution?
I would prefer to use the Windows 2000 EFS rather than a third party
solution or updating to XP.

thanks ahead and kind regards

Thomas Weigel
Anonymous
October 26, 2004 11:14:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

No the problem still remains. The reason it works is because the built in
administrator account is also the Recovery Agent in Windows 2000. XP Pro
does not require a Recovery Agent, password resets will not allow the user
account to access EFS files, and uses stronger encryption. You would need to
upgrade to XP Pro OR export/delete the user's and Recovery Agent's EFS
private keys to a .pfx file when the computer is not physically secure. If
you do upgrade to XP Pro and do not remove the user's EFS private key from
the computer be SURE to make sure that the user is forced to use a complex
password. You can use security policy to enforce this.

The reason is that the user's password protects the EFS private key. An
attacker could still reset the administrator password to gain access to the
computer and then install a password cracker like LC5 on it to crack the
user's password and gain access to the EFS files. If you disable storage of
lm hashes on the computer, use password complexity, and a password of say at
least ten characters in length it would take a long time to crack it with
LC5. Password complexity only enforces three types of characters. If you are
the user or you can convince the user to use all four character types the
password will be much stronger yet as in T337r88t!* . A password like that
will not be easy to remember in which case the user could write it down as
long as it is not kept near the computer. --- Steve


"Thomas Weigel" <entwicklung_nospam__at__octagon_minus_gmbh_dot_de> wrote in
message news:utBFPh2uEHA.1984@TK2MSFTNGP14.phx.gbl...
> Hello,
>
> using w2k on laptos we would like to keep there some sensible data too.
> Searching for a solution EFS looked fine till I found the EFS backdoor
> problem mentioned in 2002.
> Where booting from a floppy, changing the password of the user (using
> certain programms) grants access to the encrypted directories and files
> too...
>
> I did not find any article about this problem (the only link I found, is
> worthless because of the new structure of MS-homepage...)
> I did not find any information searching for patches and within the
> service
> packs.
> Has the problem not been solved yet? If it has been solved, where can I
> find
> the solution?
> I would prefer to use the Windows 2000 EFS rather than a third party
> solution or updating to XP.
>
> thanks ahead and kind regards
>
> Thomas Weigel
>
>
>
Anonymous
October 27, 2004 2:53:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The problem was fixed by an architectural change for XP and
Windows 2003. This is not backported to Windows 2000.

One thing Steve omitted is that if you force use of domain
accounts on your W2k then what he outlined for replacing the
admin password, then getting the SAM and cracking against
the encrypting user accounts (so as to be able to log into them
in a way that even EFS in XP/W2k3 will allow) would not work
since the encrypting accounts are not in the local SAM.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Thomas Weigel" <entwicklung_nospam__at__octagon_minus_gmbh_dot_de> wrote in
message news:utBFPh2uEHA.1984@TK2MSFTNGP14.phx.gbl...
> Hello,
>
> using w2k on laptos we would like to keep there some sensible data too.
> Searching for a solution EFS looked fine till I found the EFS backdoor
> problem mentioned in 2002.
> Where booting from a floppy, changing the password of the user (using
> certain programms) grants access to the encrypted directories and files
> too...
>
> I did not find any article about this problem (the only link I found, is
> worthless because of the new structure of MS-homepage...)
> I did not find any information searching for patches and within the
> service
> packs.
> Has the problem not been solved yet? If it has been solved, where can I
> find
> the solution?
> I would prefer to use the Windows 2000 EFS rather than a third party
> solution or updating to XP.
>
> thanks ahead and kind regards
>
> Thomas Weigel
>
>
>
>
Anonymous
October 27, 2004 1:10:05 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks so far.
But ...

For security reasons are the laptops never conected to our network. Our
network is not connected to the internet, too. The encrypted data have to be
available at the customer, too. So the local SAM is the only one. The key of
the administrator is exported. The only key currently left would be the
private key of the user (only one as every user has its own laptop).
What is about following idea: Not exporting but simply moving the users
encryption key to a memory stick should secure the encrypted files. Just
wether the stick is plugged or unpluged during booting decides if the
encrypted data are available. If this could work, what do I have to do?
For several reasons upgrading to XP is currently not a solution.

Thomas Weigel




"Roger Abell [MVP]" <mvpNoSpam@asu.edu> schrieb im Newsbeitrag
news:uqGQYl#uEHA.3200@TK2MSFTNGP14.phx.gbl...
> The problem was fixed by an architectural change for XP and
> Windows 2003. This is not backported to Windows 2000.
>
> One thing Steve omitted is that if you force use of domain
> accounts on your W2k then what he outlined for replacing the
> admin password, then getting the SAM and cracking against
> the encrypting user accounts (so as to be able to log into them
> in a way that even EFS in XP/W2k3 will allow) would not work
> since the encrypting accounts are not in the local SAM.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Thomas Weigel" <entwicklung_nospam__at__octagon_minus_gmbh_dot_de> wrote
in
> message news:utBFPh2uEHA.1984@TK2MSFTNGP14.phx.gbl...
> > Hello,
> >
> > using w2k on laptos we would like to keep there some sensible data too.
> > Searching for a solution EFS looked fine till I found the EFS backdoor
> > problem mentioned in 2002.
> > Where booting from a floppy, changing the password of the user (using
> > certain programms) grants access to the encrypted directories and files
> > too...
> >
> > I did not find any article about this problem (the only link I found, is
> > worthless because of the new structure of MS-homepage...)
> > I did not find any information searching for patches and within the
> > service
> > packs.
> > Has the problem not been solved yet? If it has been solved, where can I
> > find
> > the solution?
> > I would prefer to use the Windows 2000 EFS rather than a third party
> > solution or updating to XP.
> >
> > thanks ahead and kind regards
> >
> > Thomas Weigel
> >
> >
> >
> >
>
>
!