recovering NTFS volumes

[Parhez Sattar]

We have this debate going in the office about NTFS and how
it protects files from falling in the wrong hands.
Basically, the questions are:
-What are the risks if a backup tape, that was used to
backup an NTFS volume on a machine (W2K/XPpro)that was
part of a corporate domain/AD, falls into the hands of a
person who is curious (but not very savvy to know hacking
tools) and has a tape drive on their home machine. Can
this person just restore the tape onto their computer and
gain full access to the files (mind you that they were
protected via NTFS 5.0 on the original partition) without
taking any additional steps (such as taking ownership,
bypassing the original ACL, etc.)?? Add EFS to the
scenario above. What changes? Thanks in advance.

 

[Steven L Umbach]

Ntfs by itself is not secure protection outside of the original operating system and
yes someone who could restore the tape to another operating system would be able to
access those files [assuming the backup process does not encrypt, as some can is my
understanding]. They may or may not need to take ownership. My guess is that if
administrators group or administrator have full permissions, they would have no
problem since built in administrator and administrators group have the same sid on
every operating system. EFS files would deny access to any users who does not have
access to the private keys used for EFS for either the user or recovery agents as
shown in efsinfo. Those private keys are stored in the user profiles, so if the
backups did not include those user profiles they would not be able to access the EFS
files themselves unless they obtained them from another backup [keep them separate]
and were able to guess or crack users/recovery agent's password, though they could
delete the data. I have little experience with backup programs other than built in
ntbackup or Ghost, but it is my understanding that not all backup programs support
backing up of encrypted files and it is not that the files would be decrypted, but
that they would be backed up and restored as gibberish which is something to
consider. XP Pro SP1 and W2003 EFS uses AES [strong stuff] which if restored to a W2K
computer and then imported the recovery agent EFS private key to decrypt the files
would not work because W2K does not support AES. --- Steve


http://support.microsoft.com/default.aspx?kbid=243330 -- well known sids
http://www.microsoft.com/resources/...erver/reskit/en-us/distsys/part2/dsgch15.mspx
--- efs info

 

[Parhez Sattar]

Steve,
Thanks for the detailed answer. Does your answer change
if the file system where the tape is being restored does
NOT have NTFS (i.e. FAT32)? What if the ACLs of the files
in question on the tape didn't include Administrator
(Administrators group)? Doesn't the machine name/id come
into play, even if the Administrator account was
explicitely included in the ACL? Thanks again.

-----Original Message-----
Ntfs by itself is not secure protection outside of the original operating system and
yes someone who could restore the tape to another

operating system would be able to

access those files [assuming the backup process does not encrypt, as some can is my
understanding]. They may or may not need to take ownership. My guess is that if
administrators group or administrator have full

permissions, they would have no

problem since built in administrator and administrators group have the same sid on
every operating system. EFS files would deny access to any users who does not have
access to the private keys used for EFS for either the user or recovery agents as
shown in efsinfo. Those private keys are stored in the user profiles, so if the
backups did not include those user profiles they would not be able to access the EFS
files themselves unless they obtained them from another backup [keep them separate]
and were able to guess or crack users/recovery agent's password, though they could
delete the data. I have little experience with backup programs other than built in
ntbackup or Ghost, but it is my understanding that not all backup programs support
backing up of encrypted files and it is not that the files would be decrypted, but
that they would be backed up and restored as gibberish which is something to
consider. XP Pro SP1 and W2003 EFS uses AES [strong

stuff] which if restored to a W2K

 

[Steven L Umbach]

If ntfs permissions are not being copied when data is backed up then I believe it
would inherit the permissions of the parent folder where it was restored to if was
restored to drive using ntfs. If the files did not include the administrators group
but instead a user/group unique to the operating system that is was backed up from,
then access would be denied to a user trying to gain access from another operating
system until the user logged on as and administrator and took ownership at which time
he would see a sid but not a name that had permissions assigned to it.

In my experience the machine ID does not matter for ntfs permissions of default
operating system users/groups. I often use double/triple boot operating systems and I
always have access to volumes that belong to the other operating systems without
taking ownership and if I view permissions on those volumes I see administrators
group. However if I explicitly remove the administrators group and other default
built in users or groups and replace it with a user unique to that operating system
for the ntfs permissions on a folder, I am denied access when I boot into a different
operating system until I take ownership and give myself permissions assuming no EFS
is involved. Anyhow I would certainly not count on ntfs permissions alone to protect
a backup. I say you guys make bets and test it out. --- Steve

Steve,
Thanks for the detailed answer. Does your answer change
if the file system where the tape is being restored does
NOT have NTFS (i.e. FAT32)? What if the ACLs of the files
in question on the tape didn't include Administrator
(Administrators group)? Doesn't the machine name/id come
into play, even if the Administrator account was
explicitely included in the ACL? Thanks again.

-----Original Message-----
Ntfs by itself is not secure protection outside of the original operating system and
yes someone who could restore the tape to another

operating system would be able to

access those files [assuming the backup process does not encrypt, as some can is my
understanding]. They may or may not need to take ownership. My guess is that if
administrators group or administrator have full

permissions, they would have no

problem since built in administrator and administrators group have the same sid on
every operating system. EFS files would deny access to any users who does not have
access to the private keys used for EFS for either the user or recovery agents as
shown in efsinfo. Those private keys are stored in the user profiles, so if the
backups did not include those user profiles they would not be able to access the EFS
files themselves unless they obtained them from another backup [keep them separate]
and were able to guess or crack users/recovery agent's password, though they could
delete the data. I have little experience with backup programs other than built in
ntbackup or Ghost, but it is my understanding that not all backup programs support
backing up of encrypted files and it is not that the files would be decrypted, but
that they would be backed up and restored as gibberish which is something to
consider. XP Pro SP1 and W2003 EFS uses AES [strong

stuff] which if restored to a W2K

computer and then imported the recovery agent EFS private key to decrypt the files
would not work because W2K does not support AES. --- Steve


http://support.microsoft.com/default.aspx?kbid=243330 -- well known sids
http://www.microsoft.com/resources/documentation/windows/2 000/server/reskit/en-us/distsys/part2/dsgch15.mspx
--- efs info




.