Bugtraq mailing list archives
Re: Attacking EFS through cached domain logon credentials
From: Todd Sabin <tsabin () razor bindview com>
Date: 24 Jan 2003 15:56:32 -0500
"John Howie" <JHowie () securitytoolkit com> writes:
Todd (and lists), You wrote:This is not completely correct, and I wanted to clarify how an attack against a domain-member's EFS encrypted files can work. The threat model is this:It is important to distinguish between a weakness in EFS (there is none, as described here) and the risk associated with using cached logon credentials.
I agree there's no bug here, if that's what you mean. Whether this is a 'weakness', risk, vulnerability, or whatever is mainly semantics. Let's just say it's a property of EFS that its encryption is no stronger than the user's password in the scenario I outlined. The underlying point is that many organizations probably have password policies (complexity requirements and maximum password age) designed in part to mitigate the risk of the passwords being cracked before they expire (and become useless). Often, maximum age is in the ballpark of 45 days. The problem is that if someone has obtained a stolen laptop as I described, the user's password doesn't become useless when it expires unless the information in the files encrypted with EFS also becomes useless. If you want to encrypt information that has long term value, you probably need to either seriously reevaluate your password complexity requirements, put smart cards or some other hardware into the mix (as you mentioned), or use something other than EFS. -- Todd Sabin <tsabin () optonline net> BindView RAZOR Team <tsabin () razor bindview com>
Current thread:
- Attacking EFS through cached domain logon credentials Todd Sabin (Jan 21)
- <Possible follow-ups>
- RE: Attacking EFS through cached domain logon credentials John Howie (Jan 22)
- Re: Attacking EFS through cached domain logon credentials Todd Sabin (Jan 24)