EFS- manipulated UserPassword

[Thomas Weigel]

Hello,

using w2k on laptos we would like to keep there some sensible data too.
Searching for a solution EFS looked fine till I found the EFS backdoor
problem mentioned in 2002.
Where booting from a floppy, changing the password of the user (using
certain programms) grants access to the encrypted directories and files
too...

I did not find any article about this problem (the only link I found, is
worthless because of the new structure of MS-homepage...)
I did not find any information searching for patches and within the service
packs.
Has the problem not been solved yet? If it has been solved, where can I find
the solution?
I would prefer to use the Windows 2000 EFS rather than a third party
solution or updating to XP.

thanks ahead and kind regards

Thomas Weigel

 

[Steven L Umbach]

No the problem still remains. The reason it works is because the built in
administrator account is also the Recovery Agent in Windows 2000. XP Pro
does not require a Recovery Agent, password resets will not allow the user
account to access EFS files, and uses stronger encryption. You would need to
upgrade to XP Pro OR export/delete the user's and Recovery Agent's EFS
private keys to a .pfx file when the computer is not physically secure. If
you do upgrade to XP Pro and do not remove the user's EFS private key from
the computer be SURE to make sure that the user is forced to use a complex
password. You can use security policy to enforce this.

The reason is that the user's password protects the EFS private key. An
attacker could still reset the administrator password to gain access to the
computer and then install a password cracker like LC5 on it to crack the
user's password and gain access to the EFS files. If you disable storage of
lm hashes on the computer, use password complexity, and a password of say at
least ten characters in length it would take a long time to crack it with
LC5. Password complexity only enforces three types of characters. If you are
the user or you can convince the user to use all four character types the
password will be much stronger yet as in T337r88t!* . A password like that
will not be easy to remember in which case the user could write it down as
long as it is not kept near the computer. --- Steve

 

[Roger Abell [MVP]]

The problem was fixed by an architectural change for XP and
Windows 2003. This is not backported to Windows 2000.

One thing Steve omitted is that if you force use of domain
accounts on your W2k then what he outlined for replacing the
admin password, then getting the SAM and cracking against
the encrypting user accounts (so as to be able to log into them
in a way that even EFS in XP/W2k3 will allow) would not work
since the encrypting accounts are not in the local SAM.

 

[Thomas Weigel]

Thanks so far.
But ...

For security reasons are the laptops never conected to our network. Our
network is not connected to the internet, too. The encrypted data have to be
available at the customer, too. So the local SAM is the only one. The key of
the administrator is exported. The only key currently left would be the
private key of the user (only one as every user has its own laptop).
What is about following idea: Not exporting but simply moving the users
encryption key to a memory stick should secure the encrypted files. Just
wether the stick is plugged or unpluged during booting decides if the
encrypted data are available. If this could work, what do I have to do?
For several reasons upgrading to XP is currently not a solution.

Thomas Weigel