The following security management column on Microsoft's website
appears to strongly promote the use of EFS for data security on
laptops:
Steve Riley
Senior Program Manager, Security Business and Technology Unit
"The Case of the Stolen Laptop: Mitigating the Threats of Equipment Theft"
February 9, 2005
http://www.microsoft.com/technet/community/columns/secmgmt/sm0205.mspx
This column also appears to be a good overview of some of the
pragmatic issues involved in using EFS in this context.
Here's another technical article discussing EFS best practices in Windows XP:
David Cross
"Data Protection and Recovery in Windows XP"
Updated: February 17, 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx
Is EFS vulnerable? How can it be made more secure?
---------------------------------------------------
The following Microsoft article discusses vulnerabilities in SysKey:
"Analysis of Alleged Vulnerability in Windows 2000 Syskey and the
Encrypting File System"
Updated: July 18, 2001
http://www.microsoft.com/technet/archive/security/news/efs.mspx
>We've received a number of reports from customers who are concerned
>about tools that are reputed to be able to bypass the protection
>provided by the Syskey feature in Microsoft(R) Windows(R) 2000 and
>enable unauthorized users to read files protected by the Encrypting
>File System (EFS). ...
>
>We've conducted a thorough investigation of the reports, and found
>that, when Windows 2000 is used as recommended, tools such as these
>cannot be used to compromise encrypted data. Specifically, if the
>user is a domain member - as most users are - the tools cannot
>compromise EFS-encrypted data. Even in the case where the user is
>not a member of a domain, the tools can only succeed if Syskey is
>used in the least-secure mode. If Syskey is used in either of two
>more-secure modes, the tools cannot succeed.
One of the recommendations made, not only in this article but in
both of the above articles, is to use the SysKey utility to better
protect the EFS key.
By default, a startup key protects a master key: perhaps the key
referred to as the "Security Accounts Management Database encryption
key" in other articles (?). The master key protects a database of
hashed values for private keys used by services and applications,
including EFS keys. Whenever an attacker can access that database,
they can attempt "brute force" attacks, generating large numbers of
hashes to find matches and hence identify passwords.
The startup key which protects the master key is "scattered
throughout" the Registry in a random pattern. The article mentions
that, instead of storing the startup key in the Registry, one can use
the SysKey utility to require that an additional password be entered
at boot time, which is used to derive the master key.
Here is an article describing in detail how to use SysKey for that purpose:
"How to use the SysKey utility to secure the Windows Security Accounts
Manager database"
http://support.microsoft.com/kb/310105
It remains to be seen whether tools such as the one that Jon Kuroda
referred to <http://www.crackpassword.com/products/prs/mswin/efs/>
are effective against the two more secure Syskey modes.
The other articles listed in Jon's message appear to refer to
scouring the Registry for keys and and the use of data recovery
agents, respectively, to decrypt EFS-encrypted filesystems.
Using SysKey to set a password, rather than storing the startup key
in the Registry, would presumably protect against the former. And
the following practices might potentially offer protection against
the latter. (This refers to W2K; there may be equivalent advice
available for XP.)
"Protecting Data Recovery Certificates in EFS"
http://www.windowsitpro.com/Article/ArticleID/15819/15819.html
Of course, the bottom line is that, even without the use of SysKey
or careful management of data recovery agents, merely storing
sensitive data within an EFS in W2K and especially in XP may well be
capable of protecting that data from being discovered by a casual
"smash (or sneak) and grab" laptop theft who is not specifically
targeting that data, as well as by the vast majority of hands that
the stolen laptop might subsequently be likely to fall into.
Aron Roberts
Workstation Software Support Group
Disclaimer: I know almost nothing about Windows internals; the above
comes from a single Google search and my interpretations based on
quick scans of several articles, which may well e incorrect in one or
more of the statements above.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Wed Mar 30 12:25:05 2005
This archive was generated by hypermail 2.1.8 : Wed Mar 30 2005 - 12:25:06 PST