Re: Windows EFS and Changing a Local Account Password

[Derek Schaible <dschaible () cssiinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is my understanding that if a user changes their own password,  
then EFS functions normally. However, if a computer is a Domain  
Member and an Admin changes a local account password, the EFS  
encrypted files are no longer accessible. If a computer is not a  
Domain Member, then the Local Admin can reset a password and access  
EFS Encrypted Data.

The issue with the Domain computers is due to the need for a Domain- 
wide Key Recovery Agent (KRA) With a KRA Certificate, the security  
maintainer in the organization can access any EFS encrypted data.  
This prevents a company laptop, encrypted with EFS from being stolen  
where the Local Admin account is reset via a Viper-like tool. In this  
scenario, all EFS data is still secure. However, this protection is  
not afforded to stand-alone or workgroup systems.

HTH,
Derek Schaible



On Jul 13, 2006, at 11:36 PM, winshel () camden rutgers edu wrote:

> Thanks for the replies.  I thought I had read somewhere that  
> changing the local account password could lock you out since the  
> encryption was based on the password.  I may have misunderstood.
>
> Thanks again for the responses.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEu26maMpDBGs574MRAsEtAKCAN6vtSjWvcpIdYN4p7/bSbfDEFwCggbPF
Of25Bhvnl15XCAEtwJM6D3w=
=K1BO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and  
practice to master. We can't teach you to hack. But we can teach you  
what we've learned so far. Our courses are honest, real, technical  
and practical. SensePost willl be at Black Hat Vegas in July. To see  
what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------