Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: XP native encryption

from [Robert Hines] Network Security [Permanent Link]
Subject: RE: XP native encryption
Date: Fri, 27 May 2005 07:43:38 -0400 


This is true if the Administrator had the foresight to use the cipher /R
command to make a file recovery key and install it under the Administrator
account prior to any user encrypting a file.

Windows would then use this key along with any user account generated key
when encrypting files thus giving the Administrator a backdoor to the
confidential information. Muck like the private key knows the backdoor to
any file that was encrypted using its matching public key.

Bob


-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov] 
Sent: Tuesday, May 24, 2005 12:30 PM
To: Roger A. Grimes; Fernando Serto; security-basics@securityfocus.com
Subject: RE: XP native encryption

Roger,

If this is a stand-alone machine, the local administrator is the default
recovery agent.  You should be able to log on as the local administrator
and recover the files.  (assuming the recovery key was not removed from
the administrator profile)

Dennis

-----Original Message-----
From: Roger A. Grimes [mailto:roger@banneretcs.com] 
Sent: Monday, May 23, 2005 6:06 PM
To: Fernando Serto; security-basics@securityfocus.com
Subject: RE: XP native encryption

I'm pretty familiar with EFS.  The first question is whether the laptop
was a stand-alone laptop or if it was joined to a domain?  If the latter
is true, your Data Recovery Agent (usually the domain admin by default)
can logon and recover the files.  If not, then the only account that is
able to recover it is the user who protected the files.  When EFS is
used, the user's keys are stored in the user's profile and protected
with a master key created using the user's password. If the user's
profile hasn't been overwritten, then have the user logon and simply set
the password back to the original, and viola, the files will be
accessible again. If the user's profile has been overwritten than the
only hope is to recover the user's profile someway...System Restore??

The lesson to be learned is that EFS should be disabled (by default it
is enabled and can be used by any user) until a default recovery agent
has been defined.

Good luck.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger@banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****



-----Original Message-----
From: Fernando Serto [mailto:fernando.serto@memetrics.com] 
Sent: Monday, May 23, 2005 3:29 AM
To: security-basics@securityfocus.com
Subject: XP native encryption

guys, I have a problem here where one of the users has encrypted all her
documents on her laptop, and as requested, she had administrative
rights. She had a friend playing around with her laptop during the
weekend, and I have no idea why that guy went through the user accounts,
changed the administrator password, logged in as local administrator,
DELETED the user account, RECREATED it, and changed the password back to
what it was. I think the user was too embarressed to tell me why this
guy had her password, and why he was playing around with her laptop, but
anyway, now she can't access her files, because they are encrypted.

do you know anyway to decrypt those files, in order to reencrypt using
the new username?

cheers,
Fernando

--
Fernando Serto
Systems Administrator
Ph: +61 2 9556 0833
Mo: +61 403 338 005
Fa: +61 2 9555 6911

------------------
Certain disclaimers and policies apply to all email sent from Memetrics.
For the full text of these disclaimers and policies see
http://www.memetrics.com/emailpolicy.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Symantec LiveUpdate and User Rights on Win2000, Roger A. Grimes
Next by Date:  RE: Network abuse report, Ronald I. Nutter
Previous by Thread:  RE: XP native encryption, Depp, Dennis M.
Next by Thread:  RE: XP native encryption, Roger A. Grimes
Indexes:  [Date] [Thread] [Top] [All Lists]