Security Basics mailing list archives
RE: XP native encryption
From: "Depp, Dennis M." <deppdm () ornl gov>
Date: Tue, 24 May 2005 12:30:11 -0400
Roger, If this is a stand-alone machine, the local administrator is the default recovery agent. You should be able to log on as the local administrator and recover the files. (assuming the recovery key was not removed from the administrator profile) Dennis -----Original Message----- From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Monday, May 23, 2005 6:06 PM To: Fernando Serto; security-basics () securityfocus com Subject: RE: XP native encryption I'm pretty familiar with EFS. The first question is whether the laptop was a stand-alone laptop or if it was joined to a domain? If the latter is true, your Data Recovery Agent (usually the domain admin by default) can logon and recover the files. If not, then the only account that is able to recover it is the user who protected the files. When EFS is used, the user's keys are stored in the user's profile and protected with a master key created using the user's password. If the user's profile hasn't been overwritten, then have the user logon and simply set the password back to the original, and viola, the files will be accessible again. If the user's profile has been overwritten than the only hope is to recover the user's profile someway...System Restore?? The lesson to be learned is that EFS should be disabled (by default it is enabled and can be used by any user) until a default recovery agent has been defined. Good luck. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: Fernando Serto [mailto:fernando.serto () memetrics com] Sent: Monday, May 23, 2005 3:29 AM To: security-basics () securityfocus com Subject: XP native encryption guys, I have a problem here where one of the users has encrypted all her documents on her laptop, and as requested, she had administrative rights. She had a friend playing around with her laptop during the weekend, and I have no idea why that guy went through the user accounts, changed the administrator password, logged in as local administrator, DELETED the user account, RECREATED it, and changed the password back to what it was. I think the user was too embarressed to tell me why this guy had her password, and why he was playing around with her laptop, but anyway, now she can't access her files, because they are encrypted. do you know anyway to decrypt those files, in order to reencrypt using the new username? cheers, Fernando -- Fernando Serto Systems Administrator Ph: +61 2 9556 0833 Mo: +61 403 338 005 Fa: +61 2 9555 6911 ------------------ Certain disclaimers and policies apply to all email sent from Memetrics. For the full text of these disclaimers and policies see http://www.memetrics.com/emailpolicy.html
Current thread:
- XP native encryption Fernando Serto (May 23)
- RE: XP native encryption Graydon Huffman (May 24)
- <Possible follow-ups>
- RE: XP native encryption Roger A. Grimes (May 24)
- RE: XP native encryption Jeff Randall (May 24)
- RE: XP native encryption Depp, Dennis M. (May 26)
- RE: XP native encryption Robert Hines (May 27)
- RE: XP native encryption Roger A. Grimes (May 26)