[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <434CC0EE.40109@gmx.net>
Date: Thu Oct 13 06:30:17 2005
From: tuevsec at gmx.net (Thomas Springer)
Subject: Microsoft EFS
EFS-stuff is tricky. Let me drop a few hints (on XP/2003 only!)
EFS-Files are crypted for the actual logged-in user (be it a domain-user
or a local user).
By default, EFS crypts also to the key of a "default recovery agent",
which is the local administrator or, if you are a domain-user, the
domain-administrator.
ONLY these two accounts (user and recovery agent) can decrypt the files.
If your machine is part of a domain AND the files are crypted with a
domain-account, the only way to get the data back is cracking the domain-pw.
I did a little q&a months ago for our stuff, maybe this helps to make
things clearer. and never forgtet: this matters for xp/2003. efs on
win2k is different (and insecure).
How is it crypted?
Depending on Version/Servicepack with 3DES, DESX oder 256Bit AES
XP SP1 offers you a registry-key to choose the ciper:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
AlgorithmID (DWORD)
3DES: 0x6603
DESX: 0x6604
AES-256: 0x6610
Where is the key hanging around physically?
The encrypted keys are living on
\\<yourprofile>\Application Data\Microsoft\Crypto\RSA\{SID}\...
Can I backup/export the key?
Yes. Start a cmd.exe and say cipher.exe /x [filename]
This saves a password-protected copy of your efs-key.
How can I check who can access an efs-crypted file?
Start a cmd.exe and say efsinfo.exe /c /r /u
Does it help if I backup the above-mentioned key from my profile-directory?
No. Your local key-file is crypted with a random key and your
user-password. Windows changes this random key every 60 days. Your
backup would be useless then. If you change your windows- (or
domain-)password, the key gets also encrypted new.
What happens, if a windows-administrator (or linux-user with some
bootdisk) is resetting my password (be it the domain-controller or locally)?
You have no longer access to your EFS-encrypted files, because your keys
in the above mentioned directorys are garbled with your OLD
user-password. If you (or somebody else) reset your account-password
remotely, the keys won't get reencrypted Hey man, after all you
wouldn't want a simple domain-admin to read your data, would you?
Hopefully you have backed up your EFS-Key using cipher.exe. Otherwise
you'll have to consult your recovery-agent!
depending on your os and sp, ciper.exe and efsinfo.exe might not be
installed on your machine - but you can get these tools and other
valuable infos from microsoft:
> Do you know how his will work for a machine that is part of a Domain?
> Where there are no Local Users and the Default Recovery Agent is the
> "Domain Admin"
>
> I know tht one can always hack the local admin PW, then unjoin the
> domain, but where does that leave the machine.
> Is there any way to hack the "nounce" PW?
>
> Thanks
>
> Tim
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists