Re: Microsoft EFS

[Thomas Springer <tuevsec () gmx net>]

EFS-stuff is tricky. Let me drop a few hints (on XP/2003 only!)

EFS-Files are crypted for the actual logged-in user (be it a domain-user
or a local user).
By default, EFS crypts also to the key of a "default recovery agent",
which is the local administrator or, if you are a domain-user, the
domain-administrator.

ONLY these two accounts (user and recovery agent) can decrypt the files.
If your machine is part of a domain AND the files are crypted with a
domain-account, the only way to get the data back is cracking the domain-pw.

I did a little q&a months ago for our internal stuff, maybe this helps 
to make things clearer. and remember: the following matters for xp/2003. 
EFS on win2k is different (and insecure).

How is it crypted?
Depending on Version/Servicepack with 3DES, DESX oder 256Bit AES
XP SP1 offers you a registry-key to choose the ciper:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
AlgorithmID (DWORD)
3DES: 0x6603
DESX: 0x6604
AES-256: 0x6610

Where is the key hanging around physically?
The encrypted keys are living on
 \\<yourprofile>\Application Data\Microsoft\Crypto\RSA\{SID}\...

Can I backup/export the key?
Yes. Start a cmd.exe and say  cipher.exe /x [filename]
This saves a password-protected copy of your efs-key.

How can I check who can access an efs-crypted file (e.g. who's the 
recovery-agent for a specific file)?
Start a cmd.exe and say   efsinfo.exe /c /r /u

Does it help if I backup the above-mentioned key from my profile-directory?
No. Your local key-file is crypted with a random key and your
user-password. Windows changes this random key-part every 60 days. Your
backup would be useless then. If you change your windows- (or
domain-)password, the key gets also updated automagically.

What happens, if a windows-administrator (or linux-user with a
bootdisk) is resetting my password (be it on the domain-controller or 
locally)?
You have no longer access to your EFS-encrypted files, because your keys
in the above mentioned directorys are garbled with your OLD
user-password. If you (or somebody else) reset your account-password
remotely, the key-files on your machine won't get reencrypted and are 
therefore useless afterwards.
Hey man, after all you wouldn't want a simple domain-admin to read your 
encrypted data, would you?
Hopefully you have backed up your EFS-Key using cipher.exe. Otherwise
you'll have to consult your recovery-agent!

Depending on your os and sp, ciper.exe and efsinfo.exe might not be
installed on your machine - but you can get these tools and other
valuable infos from microsoft.

If you have anything to do with EFS, I'll definitely recommend reading 
and understanding 
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#EIAA
before you start doing anything! This is ESSENTIAL information and 
contains links to the newest cipher.exe, efsinfo.exe and other tools!

Hope this helps

Thomas Springer







> Do you know how his will work for a machine that is part of a Domain?
> Where there are no Local Users and the Default Recovery Agent is the 
> "Domain Admin"
>
> I know tht one can always hack the local admin PW, then unjoin the 
> domain, but where does that leave the machine.
> Is there any way to hack the "nounce" PW?
>
> Thanks
>
> Tim
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/