[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Microsoft EFS
- To: "Dyke, Tim" <Tim.Dyke@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Microsoft EFS
- From: Thomas Springer <tuevsec@xxxxxxx>
- Date: Wed, 12 Oct 2005 23:03:48 +0200
EFS-stuff is tricky. Let me drop a few hints (on XP/2003 only!)
EFS-Files are crypted for the actual logged-in user (be it a domain-user
or a local user).
By default, EFS crypts also to the key of a "default recovery agent",
which is the local administrator or, if you are a domain-user, the
domain-administrator.
ONLY these two accounts (user and recovery agent) can decrypt the files.
If your machine is part of a domain AND the files are crypted with a
domain-account, the only way to get the data back is cracking the domain-pw.
I did a little q&a months ago for our internal stuff, maybe this helps
to make things clearer. and remember: the following matters for xp/2003.
EFS on win2k is different (and insecure).
How is it crypted?
Depending on Version/Servicepack with 3DES, DESX oder 256Bit AES
XP SP1 offers you a registry-key to choose the ciper:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
AlgorithmID (DWORD)
3DES: 0x6603
DESX: 0x6604
AES-256: 0x6610
Where is the key hanging around physically?
The encrypted keys are living on
\\<yourprofile>\Application Data\Microsoft\Crypto\RSA\{SID}\...
Can I backup/export the key?
Yes. Start a cmd.exe and say cipher.exe /x [filename]
This saves a password-protected copy of your efs-key.
How can I check who can access an efs-crypted file (e.g. who's the
recovery-agent for a specific file)?
Start a cmd.exe and say efsinfo.exe /c /r /u
Does it help if I backup the above-mentioned key from my profile-directory?
No. Your local key-file is crypted with a random key and your
user-password. Windows changes this random key-part every 60 days. Your
backup would be useless then. If you change your windows- (or
domain-)password, the key gets also updated automagically.
What happens, if a windows-administrator (or linux-user with a
bootdisk) is resetting my password (be it on the domain-controller or
locally)?
You have no longer access to your EFS-encrypted files, because your keys
in the above mentioned directorys are garbled with your OLD
user-password. If you (or somebody else) reset your account-password
remotely, the key-files on your machine won't get reencrypted and are
therefore useless afterwards.
Hey man, after all you wouldn't want a simple domain-admin to read your
encrypted data, would you?
Hopefully you have backed up your EFS-Key using cipher.exe. Otherwise
you'll have to consult your recovery-agent!
Depending on your os and sp, ciper.exe and efsinfo.exe might not be
installed on your machine - but you can get these tools and other
valuable infos from microsoft.
If you have anything to do with EFS, I'll definitely recommend reading
and understanding
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#EIAA
before you start doing anything! This is ESSENTIAL information and
contains links to the newest cipher.exe, efsinfo.exe and other tools!
Hope this helps
Thomas Springer
Do you know how his will work for a machine that is part of a Domain?
Where there are no Local Users and the Default Recovery Agent is the
"Domain Admin"
I know tht one can always hack the local admin PW, then unjoin the
domain, but where does that leave the machine.
Is there any way to hack the "nounce" PW?
Thanks
Tim
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/