I have read a number of documents on the security of EFS and have come to the following conclusion but have not been able to verify it due to a lack of tools available:

EFS is secure if you use Syskey (with strong password/pass phrase) on W2K for the following reasons:

        syskey encrypts the component of the registry that stores the certificate.
        Without the syskey password it is not possible to decrypt the certificate.
        It is easy to change the users password by injecting a old-style hash into the SAM, when W2K starts.
        But still without the SysKey password you can not get to the EFS certificate

EFS is not secure if you:

        Do not use syskey with a password and use it as a default install, which is password stored in the registry.
        It is easy to change a users password which then gives access to the certificate because it is automatically decrypted with syskey.
        I am also dubious of the security of the certificate if you hibernate, as the certificate would be written out (clear-text?) to disk as part of the memory dump.

The syskey password should be long (> 25 Characters) to ensure that a brute force attack on the registry keys would be expensive.

My own experiments have shown that as of W2K SP1+EncryptPack the limit to a syskey password was 32 Chars anything over this was ignored. This may change with later releases I have not tested.

If anyone has information to the contary with regard to the above I would be keen to hear?

-Rowan

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]