NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-MS> 2004-q2

RE: Relative Security Provided by Cached Domain Credentials?

From: Sergey V. Gordeychik (gordeyinfosec.ru)
Date: Wed May 12 2004 - 02:13:47 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Local accounts are easily modified or reset,
>but I'm not aware of any
>similar exploits for cached domain credentials.š
>Given that EFS'
>effectiveness to secure laptop-stored
>data in a domain environment lives
>and dies by the security of the cached credentials, I'm curious to know >just *how much* more secure they are.

Little off topic, but.

Changing of local user password in case of XP or W2K3 does not give any opportunity to get access to EFS encrypted files, because user private key encrypted with users password. And that goes for domain accounts, too.

In case of W2K situation much worse. Private Key encrypted with user RID.
But you can protect EFS private key by export it on removalable media in pkcs#12 format and import before use. You don't need store private key on hard disk, because it cashed in memory after first use.

So, we can export user EFS certificate with private key to the password-protected pcks#12 file (open Certificates mmc console, find EFS certificate with Intended Purposes = Encrypting File System, Right Click, All Tasks > Export) and delete it.
After, store pcks#12 on removalable media, and before use EFS start following batch file:

rundll32.exe cryptext.dll,CryptExtAddPFX %username%.pfx
REM Start certificate import wizard
cipher /E /A C:\EFS\encrypt.txt
REM Encrypt 0-length test file for certificate caching
cipher /D /A C:\EFS\encrypt.txt
REM Decrypt 0-length test file for certificate caching
certmgr -del -c -all -s my
REM Delete users certificates

After we can use EFS, but certificate doesn't stored on local computer hard disk, only in memory.

Instead of removalable media we can use any Smartcards or USB-tokens, which can import and export pcks#12 files.

Russian public can find more information here:
http://www.osp.ru/win2000/2003/02/038.htm

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]