Sign in to follow this  
Followers 0
PanicByte

How Secure is Windows Encryption File System (EFS)??

8 posts in this topic

now i know if you have a weak windows password it is very easy to crack, now assuming someone has a good windows password (if Admin and Users all have strong passwords) (at least 14 char AlphaNumeric) how strong is the Windows Encrypting File System (EFS)? what would it take for it to be cracked?

0

Share this post


Link to post
Share on other sites

Windows Encryption or EFS is a joke all you have to do to decrypt the data is move the data to a FAT volume or any other non-NTFS volume it pretty much auto decrypts the data for you with no passwords needed. I would not use EFS if i were you

-Enigma

0

Share this post


Link to post
Share on other sites

Windows Encryption or EFS is a joke all you have to do to decrypt the data is move the data to a FAT volume or any other non-NTFS volume it pretty much auto decrypts the data for you with no passwords needed. I would not use EFS if i were you

-Enigma

true, but some protection is better than no protection

0

Share this post


Link to post
Share on other sites

Windows Encryption or EFS is a joke all you have to do to decrypt the data is move the data to a FAT volume or any other non-NTFS volume it pretty much auto decrypts the data for you with no passwords needed. I would not use EFS if i were you

-Enigma

true, but some protection is better than no protection

the only thing that your protecting yourself from is a moron that doesn't know any better It's not a good practice in a business enviroment

-Enigma

0

Share this post


Link to post
Share on other sites
true, but some protection is better than no protection

You make it sound like installing PGP Desktop is difficult.

It will Auto-encrypt aim and allows for entire drives to be encrypted.

-gonffen

0

Share this post


Link to post
Share on other sites

Yeah, but that NTFS to FAT trick only works if your logged in doesn't it???

Edited by PanicByte
0

Share this post


Link to post
Share on other sites
Yeah, but that NTFS to FAT trick only works if your logged in doesn't it???

Some scenarios I can think of that will make this trick work:

1. The attacker gets past the BIOS password, boots with a Linux live cd and copies the hard drive to a removable media ie external HDD.

2. The attacker is remote and your file sharing is set up wrong. I believe the C drive is shared by default. Not all files will be at risk, but some data can be copied. I havent really looked into the Windows File and Printer sharing utility, but I do know it is allowed by default on the Windows firewall. hint.

3. The attacker reinstalls the BIOS firmware, writting over the previous and throwing out the BIOS password. Then boots into a Linux live cd, and copies to a external media.

4. The attacker already knows, or has found out the BIOS and login passwords/username, and boots. Does a 'snapshot' of the hard disk... I dont know how to do that, but I read it in my Windows book.

If I think of anymore I will tell you. Those are off the top of my head, and arent necessarily completely accureate. So yes the NTFS/FAT trick will work if you are logged in, and can be bypassed if the atacker isnt logged in- with the right methods.

Alk3

p.s. @ everybody: if im wrong about any of these let me know. :WHAT:

0

Share this post


Link to post
Share on other sites

EFS encrypts the files using a key based partially on your account-login password, moving them to a fat32 drive decrypts the data if you are logged in .. this is a FEATURE not a security weakness you are actually decrypting them yourself.

Booting into linux to read the files or changing the admin-password without using your account *will* break all usability with your EFS protected files.. you will *not* be able to read them without decrypting them.

the basic overview:

http://www.microsoft.com/resources/documen...w.mspx?mfr=true

more indepth:

http://www.microsoft.com/technet/prodtechn...oy/cryptfs.mspx

there is a (payware) program to aid in decryption:

http://elcomsoft.com/aefsdr.html <- once again elcomsoft, they are a (superior) lopht for the new-era ;)

the demo only decrypts the beginning of any files, you need to register..

How EFS Works

1. EFS uses a public-private key pair and a per-file encryption key to encrypt and decrypt data. When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. The FEK is encrypted with the user's public key, and the encrypted FEK is then stored with the file.

2. Files can be marked for encryption in a variety of ways. The user can set the encryption attribute for a file by using Advanced Properties for the file in My Computer, by storing the file in a file folder set for encryption, or by using the Cipher.exe command-line utility. EFS can also be configured so that users can encrypt or decrypt a file from the shortcut menu accessed by right- clicking the file.

3. To decrypt files, the user opens the file, removes the encryption attribute, or decrypts the file by using the cipher command. EFS decrypts the FEK by using the user's private key, and then decrypts the data by using the FEK.

Changing attributes, file-permissions and passwords outside of windows does not change the fact that the file is still encrypted, using a cert based on your old password and attribs; admin accounts cannot decrypt files encrypted by a lesser-account unless that account has added admin access and the admin has a valid certificate. If one were to gain access to the account that encrypted the file(s) in the firstplace they could be decrypted, but copying the encrypted files without the certs or the account-pass is going to yeild nothing.

Without the user private-key, you are currently rather hooped. B)

One can view the certificate(s) you have locally to see what is going on, in my case, xp and 2003 default to:

sha1RSA using RSA 1024bit on a per account basis

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0