Oh, good for them. I stand corrected; thanks.
--alex
Ryan L. Means wrote:
> Sorry for replying to myself here, but to clarify, resetting passwords
> (ratehr than changing them yourself) actually invalidates encryption
> keys. If you reset a password you need to create a new encryption key.
> Try it yourself: Go into "Computer Mangagement" in XP and try to change
> the password for an account. Read the warning message about what will be
> lost if you do it.
>
> Ryan
>
> On 3/30/2005 10:38 AM, Ryan L. Means wrote:
>
>> Alex,
>>
>> I believe that the original Administrator password is used as the
>> passphrase for the EFS recovery key, so using NTAccess will not give
>> you access to the recovery key. It can replace the Administrator
>> password in the SAM with a new one, but it can't change the passphrase
>> on the recovery key without knowing the original. That is of course
>> the official line from Microsoft and I have not verified it. :)
>>
>> Ryan
>>
>>
>> On 3/30/2005 10:26 AM, Alexander Brown wrote:
>>
>>> Maybe I'm missing something about EFS, but it seems to me that it's
>>> not really all that useful in preventing a
>>> data-loss-by-physical-theft problem, if you have a clueful attacker
>>> who is really after the data.
>>>
>>> For example:
>>>
>>> 1) Evil bad guy steals XP laptop with encrypted sensitive data on it,
>>> in order to acquire the data.
>>>
>>> 2) Evil bad guy breaks the administrator password on the laptop,
>>> using NTAccess or similar.
>>>
>>> 3a) Evil bad guy uses administrator credentials to recover the
>>> encryption key and decrypt data, and goes off and sells the data to
>>> the mafia.
>>>
>>> OR
>>>
>>> 3b) Somewhat lazier evil bad guy uses administrator credentials to
>>> reset the password on the account that owns the encrypted data, logs
>>> in with the account of the data owner, and goes off and sells the
>>> data to the mafia.
>>>
>>> I'm not convinced that EFS would be a substantial barrier to
>>> information disclosure in a situation like the recent laptop
>>> incident. Others may, just possibly, disagree... :>
>>>
>>> --alex
>>>
>>> Ryan L. Means wrote:
>>>
>>>> Steve,
>>>>
>>>> In my experience it works very well and has a negligible performance
>>>> impact.
>>>>
>>>> However, users should only encrypt the folders containing the
>>>> specific data that they would like to protect. I have seen many a
>>>> system completely hosed by an attempt to EFS the entire system
>>>> drive. On my laptop I have a special storage area that is encrypted
>>>> where I point all of my applications to store their data.
>>>>
>>>> The second big thing to note is that unless you create and store a
>>>> recovery key somewhere (a moderately complex process for the average
>>>> user), a forgotten password means that the data will be irrevocably
>>>> lost. I believe that by default under XP, the Administrator of the
>>>> machine can perform recovery. On a domain environment, a recovery
>>>> key can also be recreated through group policy. Of course, if we are
>>>> talking about sensitive data stored on a laptop, irrevocable loss
>>>> shouldn't be that big of a deal because the restricted data should
>>>> also be on a secure server and it could just be copied back.
>>>>
>>>> Ryan
>>>>
>>>>
>>>> On 3/30/2005 9:03 AM, Steven Longenbohn wrote:
>>>>
>>>>> An inquiry was put to me about the Windows XP Ecrypted File System
>>>>> (EFS).
>>>>> I've not used this and am just now reading about it in a book.
>>>>>
>>>>> While this learning is going on, I wanted to post this inquiry to
>>>>> see if any of you are using EFS, and if so, what is your experience
>>>>> with it?
>>>>>
>>>>> How much does it slow down doing the daily work, opening encrypted
>>>>> files, re-encrypting them, etc.?
>>>>> How easy is this to setup and maintain.
>>>>> Will the "average user" be able to continue doing what they do, or
>>>>> do they now have to work differently (you know, a new learing curve
>>>>> that most folks either don't learn or live on your telephone for
>>>>> support)?
>>>>>
>>>>> Any input will be appreciated.
>>>>> Thanks!
>>>>>
>>>>>
>>>>> ********************************************************************************************
>>>>>
>>>>> * Steve "DrSteve" Longenbohn IS&T:
>>>>> Administrative Systems Dept
>>>>> *
>>>>> * CalNet Deputy System Administrator
>>>>> * CalAgenda Admin Departmental Security Overseer
>>>>> * PC Doctor
>>>>> *
>>>>> * Office: 510-643-9777 Cell: 510-812-0256
>>>>> * 2111 Bancroft Way, Room 409D (Banway Bldg)
>>>>> ********************************************************************************************
>>>>>
>>>>>
>>>>> -------------------------------------
>>>>> Sent via the ucb-security mailing list.
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Wed Mar 30 10:51:29 2005
This archive was generated by hypermail 2.1.8 : Wed Mar 30 2005 - 10:51:30 PST