I would not consider EFS safe with a domain account either as long as the EFS private
key is still on the computer for the user or recovery agent. A person with physical
access could use one of the EFS recovery programs and try to guess the user password
to access the private key. A domain account has the benefit of possibly not having a
local Recovery Agent which would make it easier to try to access the EFS files if the
RA private key is on the computer.
In a default installation of W2K, syskey is implemented and the operating system
manages it. That is good because it makes it extremely difficult for someone to try
and crack the local sam account of the computer by copying it and moving it to
another computer or booting from another operating system. LC4 indicates that their
product will not work on a sam file that way. NT4.0 did not have that default
protection. However the default syskey will not prevent an administrator from running
a password cracking program against the local sam while that administrator is logged
into the operating system and since by default W2K and XP Pro store lm hashes of
passwords which are very easy to crack even if the password is fairly complex. This
is important because it is trivial to reset the built in administrator account on
W2K/XP Pro with free downloadable tools such as the one in the link below. Once the
cracker has administrator access, he can install a password cracker such as LC4 or
even the free Cain and Abel program and then crack the users passwords to try to the
access the EFS files IF the user private key is still on the computer. However if you
if you configure syskey to require a password or floppy disk to access the operating
system. that greatly reduces the risk of a user gaining access to the operating
system because they still must know the syskey password or have the floppy disk
within the passkey password. I don't know of a way to crack the syskey password,
though I suppose there may be a way but I know of no utility that does it.
Efs can leave cleartext fragments on the disk after encrypting a file which is why it
is recommended to use cipher /w after a session. It is also a good idea to configure
the system pagefile to clear at shutdown in case there is any info from a file left
there before encryption which means cipher /w should really be done again after a
reboot or use a disk scrubber that will also clear the pagefile and memory before
shutdown. For most users this may all be overkill but the rest of us like to know.
The links below may be on interest. --- Steve
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;310105[/url] --- Syskey
[url]http://www.oxid.it/cain.html[/url] -- not as powerful as LC4 but free
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;315672[/url] --- Cipher /w
[url]http://is-it-true.org/nt/nt2000/atips/atips24.shtml[/url] -- lots efs info and other links
"Tim"
wrote in message news:c8bn8l$m6b$1@lust.ihug.co.nz...[color=blue]
> Hi,
>
> OK, that sounds good (well, a concern, but clarification is good) so:
>
> Domain User [with a domain recovery policy] is safe.
> Domain with a recovery policy owned by a local account is not safe.
> Non domain account is not safe.
>
> Learn about the cipher command.... (hadn't seen it before)...
>
> What is meant by:
>
> "It is always a good idea to change syskey setting to require
> password/floppy for operating system access " ?
>
> - Tim
>
>
>
> "Steven L Umbach" wrote in message
> news:XUtpc.55566$xw3.3314334@attbi_s04...[color=green]
> > Unless the local built in administrator is the recovery agent due to no
> > recovery
> > policy at domain/OU level or EFS is used on non domain machine in which
> > case the
> > local administrator account password could be reset and access then gained
> > to EFS
> > files [which would not work on XP Pro]. It is always a good idea to change
> > syskey
> > setting to require password/floppy for operating system access when using
> > EFS on
> > portable computers and to configure the system page file to be cleared at
> > shutdown.
> > Of course the best way to insure EFS integrity is to export/delete all
> > associated
> > private keys that can decrypt files and at least use cipher /w after doing
> > that,
> > though most users will not do that. --- Steve
> >
> >
> > "Eric" wrote in message
> > news:GoidnQD0kNki_zvd4p2dnA@comcast.com...[color=darkred]
> >> It depends. Smart cards require domain membership and if smart cards are
> >> used for logon, then there is no locally cached domain password available
> >> to
> >> hack.
> >>
> >> "Tim" wrote in message
> >> news:c84rba$8o5$1@lust.ihug.co.nz...
> >> > Eric,
> >> >
> >> > Hope your still there.
> >> >
> >> > So if a laptop is pinched with EFS files on it and one of the password
> >> > hacking utilities is used to gain access, then the EFS is useless?
> >> >
> >> > - Tim
> >> >
> >> >
> >> > "Eric Chamberlain" wrote in
> >> > message
> >> > news:u8BP1yVOEHA.2704@TK2MSFTNGP10.phx.gbl...
> >> > > The answer is misleading. EFS certificates can't be used directly
> >> > > from
> >> > > smart cards.
> >> > >
> >> > > "Serge calderara" wrote in
> >> > > message
> >> > > news:ECC540B4-0307-4F5D-9213-2ED4D7C07970@microsoft.com...
> >> > >> Dear all,
> >> > >>
> >> > >> I ma studying my fture MCP exam 70-270 by using the MCSE Readness
> >> review
> >> > > book from Microsoft.
> >> > >> In topics cover, there is one question that I am not really able to
> >> > > understand hope you can help me to catch it.
> >> > >>
> >> > >> The question is :
> >> > >> An account manager has lost its portable with critical data on it.
> >> > >> IT
> >> > > departement is able to installed a new one with previously backup.
> >> > > But
> >> in
> >> > > order to protect critical company data they need to setup a strategy
> >> > >>
> >> > >> One of the correct answer was:
> >> > >> You add the computer to the company domain and issue user
> >> > >> certificate
> >> for
> >> > > S/MIME and EFS from AD-integrated Certificate Services Certificate
> >> > > Authority. YOu install the certificates on a PC Smart Card that is
> >> > > compatible wiuth windows XP and Windows Server Certificate Service.
> >> > > You
> >> > > install the Smart Card into the new laptop computer and verify that
> >> > > suitable
> >> > > drivers are install.
> >> > >>
> >> > >> Based on that answer I have been told that certificated can not be
> >> > >> read
> >> > > directly from a flash card, it can be export to it for backup, but
> >> > > for
> >> > > using
> >> > > it it has to be install on the PC. According to the answer I
> >> > > understand
> >> it
> >> > > like it is possible to read it directly from the flash card right ?
> >> > >>
> >> > >> If yes how can I test that?
> >> > >>
> >> > >> THnaks for your light on that issue
> >> > >> Regards
> >> > >> Serge
> >> > >>
> >> > >
> >> > >
> >> >
> >> >
> >>
> >>[/color]
> >
> >[/color]
>
>[/color]