RE: XP native encryption

["Robert Hines" <b.hines () comcast net>]

This is true if the Administrator had the foresight to use the cipher /R
command to make a file recovery key and install it under the Administrator
account prior to any user encrypting a file.

Windows would then use this key along with any user account generated key
when encrypting files thus giving the Administrator a backdoor to the
confidential information. Muck like the private key knows the backdoor to
any file that was encrypted using its matching public key.

Bob


-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm () ornl gov] 
Sent: Tuesday, May 24, 2005 12:30 PM
To: Roger A. Grimes; Fernando Serto; security-basics () securityfocus com
Subject: RE: XP native encryption

Roger,

If this is a stand-alone machine, the local administrator is the default
recovery agent.  You should be able to log on as the local administrator
and recover the files.  (assuming the recovery key was not removed from
the administrator profile)

Dennis

-----Original Message-----
From: Roger A. Grimes [mailto:roger () banneretcs com] 
Sent: Monday, May 23, 2005 6:06 PM
To: Fernando Serto; security-basics () securityfocus com
Subject: RE: XP native encryption

I'm pretty familiar with EFS.  The first question is whether the laptop
was a stand-alone laptop or if it was joined to a domain?  If the latter
is true, your Data Recovery Agent (usually the domain admin by default)
can logon and recover the files.  If not, then the only account that is
able to recover it is the user who protected the files.  When EFS is
used, the user's keys are stored in the user's profile and protected
with a master key created using the user's password. If the user's
profile hasn't been overwritten, then have the user logon and simply set
the password back to the original, and viola, the files will be
accessible again. If the user's profile has been overwritten than the
only hope is to recover the user's profile someway...System Restore??

The lesson to be learned is that EFS should be disabled (by default it
is enabled and can be used by any user) until a default recovery agent
has been defined.

Good luck.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****



-----Original Message-----
From: Fernando Serto [mailto:fernando.serto () memetrics com] 
Sent: Monday, May 23, 2005 3:29 AM
To: security-basics () securityfocus com
Subject: XP native encryption

guys, I have a problem here where one of the users has encrypted all her
documents on her laptop, and as requested, she had administrative
rights. She had a friend playing around with her laptop during the
weekend, and I have no idea why that guy went through the user accounts,
changed the administrator password, logged in as local administrator,
DELETED the user account, RECREATED it, and changed the password back to
what it was. I think the user was too embarressed to tell me why this
guy had her password, and why he was playing around with her laptop, but
anyway, now she can't access her files, because they are encrypted.

do you know anyway to decrypt those files, in order to reencrypt using
the new username?

cheers,
Fernando

--
Fernando Serto
Systems Administrator
Ph: +61 2 9556 0833
Mo: +61 403 338 005
Fa: +61 2 9555 6911

------------------
Certain disclaimers and policies apply to all email sent from Memetrics.
For the full text of these disclaimers and policies see
http://www.memetrics.com/emailpolicy.html