RE: Protecting sensitive files on a Windows file server

["David Gillett" <gillettdavid () fhda edu>]

  Indeed, the most common failure of EFS I've seen involves using it
on a standalone machine, where an O/S reinstall has wiped out both
the original and the recovery keys.  The recovery key needs to be 
somewhere off of the original machine -- such as held by your AD 
infrastructure.

David Gillett


> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com] 
> Sent: Wednesday, June 21, 2006 12:28 PM
> To: Tyler, Grayling; paul.johnson8 () gmail com; security basics
> Subject: RE: Protecting sensitive files on a Windows file server
>
> Grayling,
>
> I thoroughly disagree with you about the recovery key issue. 
> Recovery keys aren't a problem. You have to have backup keys 
> in case the original keys are lost. No one should implement 
> any encryption strategy without first deploying a reliable 
> key archival\recovery solution. 
>
> It takes an admin password or to be logged in as the normal 
> user to recover EFS-protected files. If I can do either of 
> those two things, I don't care what your encryption program 
> is, it's game over. I can just retrieve your keys, install a 
> keylogging trojan to capture your passphrase protecting your 
> keys, or just grab the files when the original user views them.
>
> The problem isn't key recovery, it's other operational 
> issues. For instance, EFS only works on NTFS partitions. 
> That's a major problem for an enterprise-wide encryption 
> platform, which is trying to protect data on non-NTFS media 
> (e.g. USB keys, cd-roms, dvd's, etc.)
>
> Roger
>
> -----Original Message-----
> From: Tyler, Grayling [mailto:ggtyler () foodlion com]
> Sent: Wednesday, June 21, 2006 2:49 PM
> To: Roger A. Grimes; paul.johnson8 () gmail com; security basics
> Subject: RE: Protecting sensitive files on a Windows file server
>
> I agree that using the password protection from within 
> outlook isn't especially secure (using the file encryption is 
> better though). EFS aren't much better because of the 
> recovery keys.  If all you're doing is keeping the honest 
> people honest then either would likely suffice. 
>
> If its honest-to-goodness sensitive material that you want to 
> protect from not so honest people then use the RSA with token or PGP.
>
>
>
> All communication regarding everyday IT support needs such as 
> IT problems / incidents should be directed to the ITCRC team 
> at x2848 instead of contacting the various associates 
> directly within the IT department. 
> By logging all problems / incidents with the ITCRC team, this 
> will provide us more visibility into the various types of 
> calls we are receiving, trending of these calls, numbers of 
> calls, etc. The ITCRC team will bring more attention to your 
> issues and allow prompt resolution to your calls.
>
> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com]
> Sent: Tuesday, June 20, 2006 9:01 PM
> To: paul.johnson8 () gmail com; security basics
> Subject: RE: Protecting sensitive files on a Windows file server
>
> -See replies below. 
>
> Roger
>
> *****************************************************************
> *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE:
> Security (2000/2003/MVP), CEH, yada...yada...
> *email: roger_grimes () infoworld com or roger () banneretcs com 
> *Author of Professional Windows Desktop and Server Hardening (Wrox)
> *http://www.amazon.com/gp/product/0764599909
> *****************************************************************
>
>
>
> -----Original Message-----
> From: paul.johnson8 () gmail com [mailto:paul.johnson8 () gmail com]
> Sent: Tuesday, June 20, 2006 7:54 PM
> To: Roger A. Grimes; security basics
> Subject: Re: Protecting sensitive files on a Windows file server
>
> We discovered with Office 2003, using the default Office 
> 97/2000 compatible encryption type to protect the files, it 
> is possible to recover the passwords/data using software such 
> as Elcomsoft Password recovery (which can also break EFS) and 
> online password/data recovery services no matter how long the 
> password or complexity in under 5 mins.
>
> -It's worse than that. Office passwords can always be removed (set to
> blank) because the password is stored in a known and editable 
> location.
>
> -Elcomsoft does not "crack" EFS private keys. It breaks the 
> Administrator account password (or uses the logon Administrator
> credentials) to programmatically gain access to the otherwise 
> protected EFS private key. If the intruder breaks your Admin 
> password or is able to get logged on as Administrator, it's 
> always game over...and cracking EFS keys is only one your problems.
>
> How are others protecting this information in their place of work?
>
> -Most aren't. Just read the papers. Of those that are, most 
> are using EFS (again most users aren't), PGP, RSA, or some 
> other commercial solutions. There are dozens of commercial 
> encryption solutions, and kudos to you for looking into this.
>
>
> On 21/06/06, Roger A. Grimes <roger () banneretcs com> wrote:
> > There are many great commercial solutions, like PGP 
> Desktop, but EFS 
> > is free and works well if you handle key archival seriously.
> >
> > EFS works well, but it is not as eloquent as many of the other 
> > solutions (don't forget TrueCrypt for a free solution). For 
> example, 
> > EFS only encrypts data while its stored on the hard drive, but the 
> > data is decrypted (using EFS alone) when copied across the 
> network or 
> > down to other media. PGP Desktop, with NetShare, allows the 
> files and 
> > keys to be managed easier and to remain encrypted where ever they
> ended up (i.e.
> > USB key, CD-ROM, etc.); and with a single encryption key.
> >
> > Office 2003 encryption isn't good encryption; easy to bypass.
> > Winzip leaves unencrypted recoverable temp files.
> >
> > Just my one-half cent. I haven't tried the RSA solution.
> >
> > Roger
> >
> > *****************************************************************
> > *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: 
> > Security (2000/2003/MVP), CEH, yada...yada...
> > *email: roger_grimes () infoworld com or roger () banneretcs com 
> *Author of 
> > Professional Windows Desktop and Server Hardening (Wrox)
> > *http://www.amazon.com/gp/product/0764599909
> > *****************************************************************
> >
> >
> >
> > -----Original Message-----
> > From: paul.johnson8 () gmail com [mailto:paul.johnson8 () gmail com]
> > Sent: Monday, June 19, 2006 7:39 PM
> > To: security basics
> > Subject: Protecting sensitive files on a Windows file server
> >
> > We are looking for a secure way to store very sensitive 
> files on our 
> > Windows servers.  The data is shared. We will turn on full 
> auditing, 
> > create hidden shares and a security group.
> >
> > Which type of protection would be most suitable:
> >
> > Office 2003 encryption
> > Windows EFS
> > Winzip 9.x encrypted archives
> > RSA SecurID Windows Agent (2 factor authentication) PGP Desktop Pro
> >
> > Our concern with the Windows/Office encryption types is 
> that it could 
> > be cracked - ie. someone could get hold of the file and run 
> some kind 
> > of password recovery on the file and access the data.
> >
> > Any ideas on how to approach this would be much appreciated.
> **************************************************************
> **********
> **
> This electronic message may contain confidential or 
> privileged information and is intended for the individual or 
> entity named above.  If you are not the intended recipient, 
> be aware that any disclosure, copying, distribution or use of 
> the contents of this information is prohibited. 
> If you have received this electronic transmission in error, 
> please notify the sender immediately by using the e-mail 
> address or by telephone (704-633-8250).
> **************************************************************
> **********
> **
>
> --------------------------------------------------------------
> -------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
> The NSA has designated Norwich University a center of 
> Academic Excellence in Information Security. Our program 
> offers unparalleled Infosec management education and the case 
> study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this 
> esteemed degree, without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> --------------------------------------------------------------
> -------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------