Re: Attacking EFS through cached domain logon credentials

[Todd Sabin <tsabin () razor bindview com>]

"John Howie" <JHowie () securitytoolkit com> writes:

> Todd (and lists),
>
> You wrote:
>
> > This is not completely correct, and I wanted to clarify how an attack
> > against a domain-member's EFS encrypted files can work.  The threat
> > model is this:
>
> It is important to distinguish between a weakness in EFS (there is none,
> as described here) and the risk associated with using cached logon
> credentials.

I agree there's no bug here, if that's what you mean.  Whether this is
a 'weakness', risk, vulnerability, or whatever is mainly semantics.
Let's just say it's a property of EFS that its encryption is no
stronger than the user's password in the scenario I outlined.

The underlying point is that many organizations probably have password
policies (complexity requirements and maximum password age) designed
in part to mitigate the risk of the passwords being cracked before
they expire (and become useless).  Often, maximum age is in the
ballpark of 45 days.

The problem is that if someone has obtained a stolen laptop as I
described, the user's password doesn't become useless when it expires
unless the information in the files encrypted with EFS also becomes
useless.

If you want to encrypt information that has long term value, you
probably need to either seriously reevaluate your password complexity
requirements, put smart cards or some other hardware into the mix (as
you mentioned), or use something other than EFS.

-- 
Todd Sabin                                          <tsabin () optonline net>
BindView RAZOR Team                            <tsabin () razor bindview com>