Security Basics mailing list archives
RE: Protecting sensitive files on a Windows file server
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 22 Jun 2006 15:08:50 -0700
Indeed, the most common failure of EFS I've seen involves using it on a standalone machine, where an O/S reinstall has wiped out both the original and the recovery keys. The recovery key needs to be somewhere off of the original machine -- such as held by your AD infrastructure. David Gillett
-----Original Message----- From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Wednesday, June 21, 2006 12:28 PM To: Tyler, Grayling; paul.johnson8 () gmail com; security basics Subject: RE: Protecting sensitive files on a Windows file server Grayling, I thoroughly disagree with you about the recovery key issue. Recovery keys aren't a problem. You have to have backup keys in case the original keys are lost. No one should implement any encryption strategy without first deploying a reliable key archival\recovery solution. It takes an admin password or to be logged in as the normal user to recover EFS-protected files. If I can do either of those two things, I don't care what your encryption program is, it's game over. I can just retrieve your keys, install a keylogging trojan to capture your passphrase protecting your keys, or just grab the files when the original user views them. The problem isn't key recovery, it's other operational issues. For instance, EFS only works on NTFS partitions. That's a major problem for an enterprise-wide encryption platform, which is trying to protect data on non-NTFS media (e.g. USB keys, cd-roms, dvd's, etc.) Roger -----Original Message----- From: Tyler, Grayling [mailto:ggtyler () foodlion com] Sent: Wednesday, June 21, 2006 2:49 PM To: Roger A. Grimes; paul.johnson8 () gmail com; security basics Subject: RE: Protecting sensitive files on a Windows file server I agree that using the password protection from within outlook isn't especially secure (using the file encryption is better though). EFS aren't much better because of the recovery keys. If all you're doing is keeping the honest people honest then either would likely suffice. If its honest-to-goodness sensitive material that you want to protect from not so honest people then use the RSA with token or PGP. All communication regarding everyday IT support needs such as IT problems / incidents should be directed to the ITCRC team at x2848 instead of contacting the various associates directly within the IT department. By logging all problems / incidents with the ITCRC team, this will provide us more visibility into the various types of calls we are receiving, trending of these calls, numbers of calls, etc. The ITCRC team will bring more attention to your issues and allow prompt resolution to your calls. -----Original Message----- From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Tuesday, June 20, 2006 9:01 PM To: paul.johnson8 () gmail com; security basics Subject: RE: Protecting sensitive files on a Windows file server -See replies below. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: paul.johnson8 () gmail com [mailto:paul.johnson8 () gmail com] Sent: Tuesday, June 20, 2006 7:54 PM To: Roger A. Grimes; security basics Subject: Re: Protecting sensitive files on a Windows file server We discovered with Office 2003, using the default Office 97/2000 compatible encryption type to protect the files, it is possible to recover the passwords/data using software such as Elcomsoft Password recovery (which can also break EFS) and online password/data recovery services no matter how long the password or complexity in under 5 mins. -It's worse than that. Office passwords can always be removed (set to blank) because the password is stored in a known and editable location. -Elcomsoft does not "crack" EFS private keys. It breaks the Administrator account password (or uses the logon Administrator credentials) to programmatically gain access to the otherwise protected EFS private key. If the intruder breaks your Admin password or is able to get logged on as Administrator, it's always game over...and cracking EFS keys is only one your problems. How are others protecting this information in their place of work? -Most aren't. Just read the papers. Of those that are, most are using EFS (again most users aren't), PGP, RSA, or some other commercial solutions. There are dozens of commercial encryption solutions, and kudos to you for looking into this. On 21/06/06, Roger A. Grimes <roger () banneretcs com> wrote:There are many great commercial solutions, like PGPDesktop, but EFSis free and works well if you handle key archival seriously. EFS works well, but it is not as eloquent as many of the other solutions (don't forget TrueCrypt for a free solution). Forexample,EFS only encrypts data while its stored on the hard drive, but the data is decrypted (using EFS alone) when copied across thenetwork ordown to other media. PGP Desktop, with NetShare, allows thefiles andkeys to be managed easier and to remain encrypted where ever theyended up (i.e.USB key, CD-ROM, etc.); and with a single encryption key. Office 2003 encryption isn't good encryption; easy to bypass. Winzip leaves unencrypted recoverable temp files. Just my one-half cent. I haven't tried the RSA solution. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com*Author ofProfessional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: paul.johnson8 () gmail com [mailto:paul.johnson8 () gmail com] Sent: Monday, June 19, 2006 7:39 PM To: security basics Subject: Protecting sensitive files on a Windows file server We are looking for a secure way to store very sensitivefiles on ourWindows servers. The data is shared. We will turn on fullauditing,create hidden shares and a security group. Which type of protection would be most suitable: Office 2003 encryption Windows EFS Winzip 9.x encrypted archives RSA SecurID Windows Agent (2 factor authentication) PGP Desktop Pro Our concern with the Windows/Office encryption types isthat it couldbe cracked - ie. someone could get hold of the file and runsome kindof password recovery on the file and access the data. Any ideas on how to approach this would be much appreciated.************************************************************** ********** ** This electronic message may contain confidential or privileged information and is intended for the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by using the e-mail address or by telephone (704-633-8250). ************************************************************** ********** ** -------------------------------------------------------------- ------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Protecting sensitive files on a Windows file server, (continued)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 21)
- Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 22)
- Re: Protecting sensitive files on a Windows file server Gaddis, Jeremy L. (Jun 22)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 23)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 22)
- Re: Protecting sensitive files on a Windows file server simonis (Jun 21)
- Re: Protecting sensitive files on a Windows file server paul.johnson8 () gmail com (Jun 21)
- Re: Protecting sensitive files on a Windows file server RandyW (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server David Gillett (Jun 23)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Tyler, Grayling (Jun 22)
- RE: Protecting sensitive files on a Windows file server Roger A. Grimes (Jun 22)
- RE: Protecting sensitive files on a Windows file server Beauford, Jason (Jun 23)