Test Driving EFS - couple questions

[Shark]

I'm testing XP Pro's EFS before I adopt it and ran into some
questions.

There is an interesting Wikipedia article on EFS, particularly this
passage:

"Windows can store plaintext versions of user account passphrases,
though this is no longer default behaviour; it also can and will
store, by default, the local user account passphrases in LM hash,
which can be attacked and broken relatively easily. It also stores
local user account passphrases as NTLM hashes, which can be fairly
easily attacked using "rainbow tables". To mitigate the threat of
trivial brute-force attacks on local passphrases, Windows needs to be
configured (using the Security Settings portion of Group Policy) to
never store LM hashes, and of course, to turn off Autologon (which
stores plaintext passphrases in the registry). Further, using local
user account passphrases over 14 characters long prevents Windows from
storing an LM hash in the SAM - and has the added benefit of making
brute-force attacks against the NTLM hash harder. Of course, if you
consider the fact that EFS uses Triple DES or AES to encrypt files,
you should use proper passphrase lengths (over 20 characters long) to
achieve equivalent strength against brute-force attacks."

But I didn't fully understand the part about 14 character-long
passphrases. Is this additional to configuring Group Policy (as
described) or by simpling choosing a 14 character password it will
automatically force XP to NOT cache in LM hash?

Another question is this, assuming the private key-certificate will be
exported to media outside the computer and deleted for additional
security, is it absolutely necessary for that account to have a logon
password for the encryption of the content to be secured? I'm assuming
the logon password is not used for the encryption process but rather
the private key only.

And finally I can't find the import option to import a key I
previously exported. It should be located in the certificate snap-in
for the local user but all I see are renewal options of the
certificate and Export (even though there is no key currently since it
was deleted upon successful export).

 

[Niniel]

Not sure what you want to secure, but maybe you're better off with a
third-party encryption program.

I like TrueCrypt http://www.truecrypt.org/, not the least because it's free.

 

[Shark]

Not sure what you want to secure, but maybe you're better off with a
third-party encryption program.

I like TrueCrypthttp://www.truecrypt.org/, not the least because it's free.

I realize that for every functionality MS provides there is probably a
better third-party option out there. But as long as I'm in *this*
forum I'd like to use what's built in. Or at least try. EFS appears to
be simple and effective enough just as long as your harden it a bit.
But that's what I'm trying to find out while experimenting and giving
it a chance.

At least answer why I can't see the import option to import a key. Is
there some service that must be turned on (cryptographic service is
already Automatic and active) or some other option?

 

[Brian Komar]

Some answers inline....

I'm testing XP Pro's EFS before I adopt it and ran into some
questions.

There is an interesting Wikipedia article on EFS, particularly this
passage:

"Windows can store plaintext versions of user account passphrases,
though this is no longer default behaviour; it also can and will
store, by default, the local user account passphrases in LM hash,
which can be attacked and broken relatively easily. It also stores
local user account passphrases as NTLM hashes, which can be fairly
easily attacked using "rainbow tables". To mitigate the threat of
trivial brute-force attacks on local passphrases, Windows needs to be
configured (using the Security Settings portion of Group Policy) to
never store LM hashes, and of course, to turn off Autologon (which
stores plaintext passphrases in the registry). Further, using local
user account passphrases over 14 characters long prevents Windows from
storing an LM hash in the SAM - and has the added benefit of making
brute-force attacks against the NTLM hash harder. Of course, if you
consider the fact that EFS uses Triple DES or AES to encrypt files,
you should use proper passphrase lengths (over 20 characters long) to
achieve equivalent strength against brute-force attacks."

But I didn't fully understand the part about 14 character-long
passphrases. Is this additional to configuring Group Policy (as
described) or by simpling choosing a 14 character password it will
automatically force XP to NOT cache in LM hash?

No. LM passwords could only be a max of 14 characters long. If your password
is longer than 14 characters, then no LM hash is stored.
This is an either or. If you set the GPO to not use LM Hashes, then there is
no LM hash maintained. Alternatively, using a password > 14 characters
ensures that no LM hash is maintained.
The better solution is to *not* use local user accounts. Instead, use domain
user accounts.

Another question is this, assuming the private key-certificate will be
exported to media outside the computer and deleted for additional
security, is it absolutely necessary for that account to have a logon
password for the encryption of the content to be secured? I'm assuming
the logon password is not used for the encryption process but rather
the private key only.

This is a *bad* idea for EFS. If you export and delete the original
certificate and private key, then EFS will either:
- request a new certificate
- generate a self-signed EFS certificate
In both cases, the previous certificate is replaced.

The logon password is used to generate the DPAPI protection of the private
key in the user's profile. This is why, if a local user account is used,
resetting the user's password removes access to the user's private keys.

And finally I can't find the import option to import a key I
previously exported. It should be located in the certificate snap-in
for the local user but all I see are renewal options of the
certificate and Export (even though there is no key currently since it
was deleted upon successful export).

You can only import the .pfx file that you previously exported. If you do
not import from the .pfx (PKCS#12) format, then there is not private key to
import.
I recommend that you look at the EFS whitepaper for more details.
http://www.msdn.microsoft.com/libra...ecure/html/WinNETSrvr-EncryptedFileSystem.asp

 

[GreenieLeBrun]

I'm testing XP Pro's EFS before I adopt it and ran into some
questions.

There is an interesting Wikipedia article on EFS, particularly this
passage:

"Windows can store plaintext versions of user account passphrases,
though this is no longer default behaviour; it also can and will
store, by default, the local user account passphrases in LM hash,
which can be attacked and broken relatively easily. It also stores
local user account passphrases as NTLM hashes, which can be fairly
easily attacked using "rainbow tables". To mitigate the threat of
trivial brute-force attacks on local passphrases, Windows needs to be
configured (using the Security Settings portion of Group Policy) to
never store LM hashes, and of course, to turn off Autologon (which
stores plaintext passphrases in the registry). Further, using local
user account passphrases over 14 characters long prevents Windows from
storing an LM hash in the SAM - and has the added benefit of making
brute-force attacks against the NTLM hash harder. Of course, if you
consider the fact that EFS uses Triple DES or AES to encrypt files,
you should use proper passphrase lengths (over 20 characters long) to
achieve equivalent strength against brute-force attacks."

But I didn't fully understand the part about 14 character-long
passphrases. Is this additional to configuring Group Policy (as
described) or by simpling choosing a 14 character password it will
automatically force XP to NOT cache in LM hash?

Another question is this, assuming the private key-certificate will be
exported to media outside the computer and deleted for additional
security, is it absolutely necessary for that account to have a logon
password for the encryption of the content to be secured? I'm assuming
the logon password is not used for the encryption process but rather
the private key only.

And finally I can't find the import option to import a key I
previously exported. It should be located in the certificate snap-in
for the local user but all I see are renewal options of the
certificate and Export (even though there is no key currently since it
was deleted upon successful export).

I don't use EFS but the following links may be of interest to you.

he Encrypting File System
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/en-us

How to back up the recovery agent Encrypting File System (EFS) private key
in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201

How To Encrypt a Folder in Windows XP
http://support.microsoft.com/?id=308989

How To Remove File Encryption in Windows XP
http://support.microsoft.com/?id=308993

How To Encrypt a File in Windows XP
http://support.microsoft.com/?id=307877

HOW TO: Share Access to an Encrypted File in Windows XP
http://support.microsoft.com/?id=308991