| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <434D7A34.4070801@gmx.net>
Date: Wed Oct 12 22:04:03 2005
From: tuevsec at gmx.net (Thomas Springer)
Subject: Microsoft EFS
EFS-stuff is tricky. Let me drop a few hints (on XP/2003 only!)
EFS-Files are crypted for the actual logged-in user (be it a domain-user
or a local user).
By default, EFS crypts also to the key of a "default recovery agent",
which is the local administrator or, if you are a domain-user, the
domain-administrator.
ONLY these two accounts (user and recovery agent) can decrypt the files.
If your machine is part of a domain AND the files are crypted with a
domain-account, the only way to get the data back is cracking the domain-pw.
I did a little q&a months ago for our internal stuff, maybe this helps
to make things clearer. and remember: the following matters for xp/2003.
EFS on win2k is different (and insecure).
How is it crypted?
Depending on Version/Servicepack with 3DES, DESX oder 256Bit AES
XP SP1 offers you a registry-key to choose the ciper:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
AlgorithmID (DWORD)
3DES: 0x6603
DESX: 0x6604
AES-256: 0x6610
Where is the key hanging around physically?
The encrypted keys are living on
\\<yourprofile>\Application Data\Microsoft\Crypto\RSA\{SID}\...
Can I backup/export the key?
Yes. Start a cmd.exe and say cipher.exe /x [filename]
This saves a password-protected copy of your efs-key.
How can I check who can access an efs-crypted file (e.g. who's the
recovery-agent for a specific file)?
Start a cmd.exe and say efsinfo.exe /c /r /u
Does it help if I backup the above-mentioned key from my profile-directory?
No. Your local key-file is crypted with a random key and your
user-password. Windows changes this random key-part every 60 days. Your
backup would be useless then. If you change your windows- (or
domain-)password, the key gets also updated automagically.
What happens, if a windows-administrator (or linux-user with a
bootdisk) is resetting my password (be it on the domain-controller or
locally)?
You have no longer access to your EFS-encrypted files, because your keys
in the above mentioned directorys are garbled with your OLD
user-password. If you (or somebody else) reset your account-password
remotely, the key-files on your machine won't get reencrypted and are
therefore useless afterwards.
Hey man, after all you wouldn't want a simple domain-admin to read your
encrypted data, would you?
Hopefully you have backed up your EFS-Key using cipher.exe. Otherwise
you'll have to consult your recovery-agent!
Depending on your os and sp, ciper.exe and efsinfo.exe might not be
installed on your machine - but you can get these tools and other
valuable infos from microsoft.
If you have anything to do with EFS, I'll definitely recommend reading
and understanding
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#EIAA
before you start doing anything! This is ESSENTIAL information and
contains links to the newest cipher.exe, efsinfo.exe and other tools!
Hope this helps
Thomas Springer
> Do you know how his will work for a machine that is part of a Domain?
> Where there are no Local Users and the Default Recovery Agent is the
> "Domain Admin"
>
> I know tht one can always hack the local admin PW, then unjoin the
> domain, but where does that leave the machine.
> Is there any way to hack the "nounce" PW?
>
> Thanks
>
> Tim
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists