Sorry for replying to myself here, but to clarify, resetting passwords (ratehr
than changing them yourself) actually invalidates encryption keys. If you reset
a password you need to create a new encryption key. Try it yourself: Go into
"Computer Mangagement" in XP and try to change the password for an account. Read
the warning message about what will be lost if you do it.
Ryan
On 3/30/2005 10:38 AM, Ryan L. Means wrote:
> Alex,
>
> I believe that the original Administrator password is used as the
> passphrase for the EFS recovery key, so using NTAccess will not give you
> access to the recovery key. It can replace the Administrator password in
> the SAM with a new one, but it can't change the passphrase on the
> recovery key without knowing the original. That is of course the
> official line from Microsoft and I have not verified it. :)
>
> Ryan
>
>
> On 3/30/2005 10:26 AM, Alexander Brown wrote:
>
>> Maybe I'm missing something about EFS, but it seems to me that it's
>> not really all that useful in preventing a data-loss-by-physical-theft
>> problem, if you have a clueful attacker who is really after the data.
>>
>> For example:
>>
>> 1) Evil bad guy steals XP laptop with encrypted sensitive data on it,
>> in order to acquire the data.
>>
>> 2) Evil bad guy breaks the administrator password on the laptop, using
>> NTAccess or similar.
>>
>> 3a) Evil bad guy uses administrator credentials to recover the
>> encryption key and decrypt data, and goes off and sells the data to
>> the mafia.
>>
>> OR
>>
>> 3b) Somewhat lazier evil bad guy uses administrator credentials to
>> reset the password on the account that owns the encrypted data, logs
>> in with the account of the data owner, and goes off and sells the data
>> to the mafia.
>>
>> I'm not convinced that EFS would be a substantial barrier to
>> information disclosure in a situation like the recent laptop
>> incident. Others may, just possibly, disagree... :>
>>
>> --alex
>>
>> Ryan L. Means wrote:
>>
>>> Steve,
>>>
>>> In my experience it works very well and has a negligible performance
>>> impact.
>>>
>>> However, users should only encrypt the folders containing the
>>> specific data that they would like to protect. I have seen many a
>>> system completely hosed by an attempt to EFS the entire system drive.
>>> On my laptop I have a special storage area that is encrypted where I
>>> point all of my applications to store their data.
>>>
>>> The second big thing to note is that unless you create and store a
>>> recovery key somewhere (a moderately complex process for the average
>>> user), a forgotten password means that the data will be irrevocably
>>> lost. I believe that by default under XP, the Administrator of the
>>> machine can perform recovery. On a domain environment, a recovery key
>>> can also be recreated through group policy. Of course, if we are
>>> talking about sensitive data stored on a laptop, irrevocable loss
>>> shouldn't be that big of a deal because the restricted data should
>>> also be on a secure server and it could just be copied back.
>>>
>>> Ryan
>>>
>>>
>>> On 3/30/2005 9:03 AM, Steven Longenbohn wrote:
>>>
>>>> An inquiry was put to me about the Windows XP Ecrypted File System
>>>> (EFS).
>>>> I've not used this and am just now reading about it in a book.
>>>>
>>>> While this learning is going on, I wanted to post this inquiry to
>>>> see if any of you are using EFS, and if so, what is your experience
>>>> with it?
>>>>
>>>> How much does it slow down doing the daily work, opening encrypted
>>>> files, re-encrypting them, etc.?
>>>> How easy is this to setup and maintain.
>>>> Will the "average user" be able to continue doing what they do, or
>>>> do they now have to work differently (you know, a new learing curve
>>>> that most folks either don't learn or live on your telephone for
>>>> support)?
>>>>
>>>> Any input will be appreciated.
>>>> Thanks!
>>>>
>>>>
>>>> ********************************************************************************************
>>>>
>>>> * Steve "DrSteve" Longenbohn IS&T: Administrative
>>>> Systems Dept
>>>> *
>>>> * CalNet Deputy System Administrator
>>>> * CalAgenda Admin Departmental Security Overseer
>>>> * PC Doctor
>>>> *
>>>> * Office: 510-643-9777 Cell: 510-812-0256
>>>> * 2111 Bancroft Way, Room 409D (Banway Bldg)
>>>> ********************************************************************************************
>>>>
>>>>
>>>> -------------------------------------
>>>> Sent via the ucb-security mailing list.
>>>
>>>
>>>
>>>
>
-- Ryan L. Means Chief Technical Officer School of Law (Boalt Hall) University of California, Berkeley ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.Received on Wed Mar 30 10:46:43 2005
This archive was generated by hypermail 2.1.8 : Wed Mar 30 2005 - 10:46:43 PST