[unisog] Windows Encrypted File System (EFS)

Stejerean, Cosmin cosmin at cti.depaul.edu
Fri Feb 10 23:47:22 GMT 2006


Seen many laptops with floppy drives recently? If only they had USB key
support. I use syskey with startup password option that requires me to
enter the password before starting up Windows. 

Many recent notebooks also support password protecting the hard drive
itself so that it will not respond to any IO requests until the proper
password is provided at boot time. Putting this together with syskey and
encryption (EFS or other standalone software) makes for some pretty hard
to crack laptops if stolen. If only bank employees were as paranoid as I
am...


Cosmin

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Stasiniewicz, Adam
Sent: Friday, February 10, 2006 5:10 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Windows Encrypted File System (EFS)

Actually there are three mitigating facts to what you just said.  First
you don't have to have the administrator be the key recovery agent (in a
domain envorment0.  You can simply modify the GPO so there is no
recovery agent.  Second if you use syskeys with a startup
password/floppy the entire private key section of the local SAM is
encrypted with a key protected by the syskey.  Third, if on a stand
alone computer, there will be no default recovery agent. 

So ideally you should enable syskey (with a password/floppy) and disable
the Administrator as the recovery agent.  With this the EFS key will be
protected by your account password and syskey password; meaning that a
hacker would need to brute-force both passwords before being able to
access your EFS files; thereby making an effective tool against laptop
theft.

Regards,
Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering 
MSCE: Messaging & Security 2003 

> -----Original Message-----
> From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]
> On Behalf Of Reg Quinton
> Sent: Friday, February 10, 2006 12:00 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Windows Encrypted File System (EFS)
> 
> From: "Stejerean, Cosmin" <cosmin at cti.depaul.edu>
> > EFS is meant to encrypt files while on the drive (so if the laptop
is
> > stolen nobody will be able to get the files) and while it is far
from
> > perfect it would have helped in the recent cases in the news when
> > laptops of bank employees were stolen.
> 
> In theory yes, in practice no. The default configuration has the
> Administrator account as a key recovery agent. See the "User Beware"
> section
> in our discussion of EFS here:
> 
> http://ist.uwaterloo.ca/security/position/20020619/
> 
> EFS is not sufficient to protect data if your laptop is stolen. I
> understand
> there are lots of tools that will give you the Administrator account
if
> you
> can get the system to boot from a CD. Once you have the Administrator
> account you now have all EFS files.
> 
> Mind you I use EFS on my laptop. Every little bit helps.
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list