EFS not secure on LAN

[Rob Rohrbough]

I have Win2k pro on a workgroup LAN. I have marked a
directory as secure and removed all permissions but the
owner's. When I log into the computer with another user
name, the folder is not accessible to that user.

However, that directory is on a drive that is shared with
other computers on my peer-to-peer LAN. Users on any
WinNT-based machine can see the encrypted data; users on
Win0x-based machines are restricted fromt the directory.

I have removed the certificate from the system.

What am I doing wrong?

TIA,

Rob

 

[Herb Martin]

However, that directory is on a drive that is shared with

other computers on my peer-to-peer LAN. Users on any
WinNT-based machine can see the encrypted data; users on
Win0x-based machines are restricted fromt the directory.

No. Without the key (which must be sent from YOUR
account/profile/certificate store) they cannot "see" EFS
data.

Now, if you transfer it over the net, they can sniff it but
that is just because it is an ENCRYPTED FILE system.

 

[Rob Rohrbough]

Herb,

Thanks for your reply. I beg to differ on the following
point:

No. Without the key (which must be sent from YOUR
account/profile/certificate store) they cannot "see" EFS
data.

I saw it happen. While I am new to EFS and make mistake
like everyone else, I tried this several times. Today, I
was able to export, delete, and import the certificate for
EFS. It was installed in my Personal store. When the
certificate was present there anyone who had NTFS
permission to the folder could see the file's data; when
the certificate was not there (after a reboot) no-one
could access the data even if they had access to the
folder and file. Before a reboot, even without the
certificate in the store, apparently some kind of cache of
the certificate was still allowing people to see the data.

I appreciate your answer and am open to any additional
insights you have,

Rob

 

[Herb Martin]

I saw it happen. While I am new to EFS and make mistake

like everyone else, I tried this several times. Today, I
was able to export, delete, and import the certificate for
EFS. It was installed in my Personal store. When the
certificate was present there anyone who had NTFS
permission to the folder could see the file's data; when
the certificate was not there (after a reboot) no-one
could access the data even if they had access to the
folder and file. Before a reboot, even without the
certificate in the store, apparently some kind of cache of
the certificate was still allowing people to see the data.

Then it's a serious bug -- be sure to report it.

What I understand about the scenario:

1) Owner of the file accesses the file (over the net)
2) While (or after) this access OTHERS can with mere
permissions can read the file while the key is at the server
3) Reboot clears the key from server -- stops uncertificated access

That's a bug.

Sure you can use NTFS permissions to prevent the access but
the key alone should do that.

What should happen even with permission:
Example: Someone other than the owner (who is also not a
Recover Agent) has Full Control of an encrypted file. Tries
to access that file -- denied as if it were a permission issue.

 

[Rob Rohrbough]

Steven,

Thanks for your reply. They can see the actual data. I
did play around with the NTFS file permissions and was
able to restrict access to directories by share. It
appears that, if you can gain access to a share up the
hierarchy, sub-folders will appear as well. That appears
to be different than my experience with different users on
the same machine.

Anyway, after rebooting, the lack of a certificate kept
everyone, including the owner, from seeing the data in the
files. Apparently there is some kind of cache working
that needs to be cleared. It would be nice if there is a
less-severe way of clearing the cache. You have any ideas?

Thanks again,

Rob

 

[Steven Umbach]

Once files have been actually encrypted then they should only be
unencrypted by the private key of the user that encrypted them or the recovery
agent in effect at that time. Possibly there were unencrypted copies somewhere
in ram or maybe on the hard drive memory cache. If you import the private key
again, then only the user/recovery agent should be able to access the data in
the files. If that is not the case I would implement auditing of the encrypted
folder/files to see if they are in fact being physically accessed and by who. I
would also use cipher to verify exactly which files are encrypted and then use
efsinfo to see what user has actually encrypted the files and who the recovery
agents are. Certain file types, like those with the system attribute can not be
encrypted. It is also best practice to only encrypt folders and then place files
into folders to be encrypted. If you encrypt a folder with files in it, you are
given the option to encrypt existing files also - otherwise they are not
encrypted. I have also heard of situations where a folder was not encrypted -
just the files, and an application created temporary unencrypted files from the
encrypted files and even saved the edited file [same file name] as
encrypted.. --- Steve

 

[Rob Rohrbough]

Steve, thanks for the replies. I have been off on another
project for the past few days. Just read your question
for David Cross. I see that he has not replied. I would
very much be interested in his response. I have tried
once to contact a Microsoft tech who was helping me with
encryption. I will try again tomorrow to do so.

Rob

 

[Herb Martin]

I am still watching this conversation with great interest
also.

This would pretty much devalue EFS for file server use.

 

[David Cross [MS]]

an administrator can definately can get access to another users application
data space - this can only be prevented by applications using encrypted
memory, etc which is a very expensive operation of course.

one user cannot definately get access to another users key.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

There is a different between a key handle cache and a file contents that may
be in memory by an application. Yes, one user with admin priveleges could
scan the memory of other applications running on the system.

But no, the key handle cache cannot be exposed, viewed, hijacked, etc by any
other user or process.

So does that mean the "reported behavior" is impossible?

[I didn't report it and intitially didn't believe it but the poster was
adamant
that he both understood it and was reporting correctly.]

--
Herb Martin

http://support.microsoft.com

But can User1 read User2's files from the in memory cache
versions?

In other words, since the files are unencrypted for User2
when read, is that cache of the file accessible outside the
authentication context of User2?


IN windows 2000, the EFS cache can only be cleared with a reboot. In
Windows XP and above, the cache can be cleared with a user logoff.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

http://support.microsoft.com

Steven,

Thanks for your reply. They can see the actual data. I
did play around with the NTFS file permissions and was
able to restrict access to directories by share. It
appears that, if you can gain access to a share up the
hierarchy, sub-folders will appear as well. That appears
to be different than my experience with different users on
the same machine.

Anyway, after rebooting, the lack of a certificate kept
everyone, including the owner, from seeing the data in the
files. Apparently there is some kind of cache working
that needs to be cleared. It would be nice if there is a
less-severe way of clearing the cache. You have any ideas?

Thanks again,

Rob


-----Original Message-----
They can see the files or they can see the actual
data? Check ntfs
advanced permissions also to see if any users or groups
exist there. Make
sure that just the user you want is included in the ntfs
permissions and
system if it is there, no one else - no everyone, users,
power users,
guest, etc. Double check that the permissions assigned to
the folder have
actually propagated down to the individual files. Check
the properties of
the files to make sure they are in fact encrypted and use
the cipher utility
in that folder to see if it reports the same. If network
users have proper
ntfs/share permissions, they may be able to "see" the
encrypted files but
not the file contents if they are in fact encrypted they
would get an access
denied message when trying to access a file. You may
also want to
reconsider sharing a whole drive, though that is not the
problem with your
EFS.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-
us;298009
http://support.microsoft.com/default.aspx?scid=kb;EN-
US;223316

I have Win2k pro on a workgroup LAN. I have marked a
directory as secure and removed all permissions but the
owner's. When I log into the computer with another user
name, the folder is not accessible to that user.

However, that directory is on a drive that is shared
with
other computers on my peer-to-peer LAN. Users on any
WinNT-based machine can see the encrypted data; users on
Win0x-based machines are restricted fromt the directory.

I have removed the certificate from the system.

What am I doing wrong?

TIA,

Rob


.