TUCoPS :: Security App Flaws :: efs5~1.htm

Win2k EFS plaintext copies of supposedly-encrypted files 
Vulnerability

    EFS

Affected

    Win2k

Description

    Colman Communications Consulting issued following information.
    The vulnerabilities present in EFS are summarised thus:
    1. Files which are moved into an encrypted folder, or are  present
       as plain  text prior  to a  directory being  encrypted, have  a
       plain text copy made.  In addition plain text fragments of  the
       original will also persist.
    2. Third party disk wipe products do not effectively "zero" unused
       disk space under Windows 2000.

    Plain Text Copies
    =================
    When  files  which  were  previously  in  plain text are encrypted
    using EFS, either by encrypting the file or the directory the file
    is in, or by moving the file into a directory with EFS applied,  a
    plain-text (as distinct from cipher-text) copy of the file is made
    on the  disk.   In addition  to this  plain-text fragments  of the
    original file may also persist.

    In the  case of  the plain  text copy  this occurs because Windows
    2000 takes a temporary backup copy of the file prior to encryption
    to ensure that it can recover the file should a system error occur
    whilst the file is being encrypted. In terms of the file fragments
    this is  simply a  reflection of  the standard  operation of  most
    operating  systems   where  "deleted"   files  are   not  actually
    overwritten, but simply de-allocated.

    Depending on the usage of the system this presents the possibility
    that the plain text copy and plain text fragments of the  original
    file could  persist on  the system's  disk until  such time as the
    system has a need for the space and overwrites the data  contained
    there.

    Access to the  plain text copy  or fragments could  be achieved by
    anyone who is able to obtain physical access to the disk, and  can
    mount the disk into another system.  Access to the plain text copy
    could also be achieved by an "Administrator" who is able to load a
    device driver to speak directly to the disk.

    When EFS  is used  in the  recommended manner,  that is  files are
    only  created  inside  folders  with  EFS  enabled  the problem of
    plain-text copies and fragments does not occur.

    Organisations that  are using  EFS to  help mitigate  the risk  of
    physical security  of systems  should be  aware of  this issue and
    act in accordance with the recommended mode of operation, and  our
    advice below.


    Disk Wipe Products Fail To Wipe Disk
    ====================================
    The second issue  described above is  compounded by the  fact that
    most  third  party  disk  wipe  products  do not wipe the disks of
    Windows 2000 systems.

    This effectively means that users  are unable to clear plain  text
    copies  of  files  they  thought  were  encrypted,  as  well other
    material  they  thought  they  had  deleted,  by  using  disk wipe
    products.

    Organisations that are making use of disk wipe products to  manage
    risks  related  to  "deleted"  data  under  Windows 2000 should be
    aware of this issue and  act in accordance with our  advice below,
    and that provided by Microsoft.

Solution

    Microsoft has released a new tool to address issues with EFS under
    Windows 2000 found by Colman Communications Consulting.

    Colman  Communications  Consulting  has  worked  with Microsoft to
    have  these  issues  addressed.   This  work  has  resulted  in  a
    commitment from Microsoft to  place emphasis the behaviour  of EFS
    and writing a tool which can be used to wipe unused disk space  on
    Windows 2000 systems.

    If you are using EFS then you should ensure that:
    - Your users are educated  on the correct manner of  operating EFS
      so as to prevent the proliferation of plain text copies.
    - You  install  and  run  the  cipher.exe tool on your systems  to
      ensure that any plain text copies and other sensitive  "deleted"
      information is zeroed.

    The new version of cipher.exe along with install instructions  was
    orginally posted at:

        http://www.microsoft.com/technet/security/cipher.asp

    At the time  of posting this  page is temporarily  unavailable due
    to a revamp of the  Microsoft Technet Area.  However,  the related
    Microsoft Knowledge Base Article can be found at:

        http://support.microsoft.com/support/kb/articles/Q298/0/09.ASP

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH