Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Avoiding Data LossPlanning for Recovery


Before EFS is used, a recovery plan should be developed and put into place. Unfortunately, EFS is enabled by default, and few organizations create and implement an effective EFS policy before users are logged on to the system. Users can easily encrypt and decrypt files without realizing that they should be archiving keys. Using EFS to encrypt and decrypt files is easy. On the other hand, while recovery is not difficult, it requires thought and potentially substantial action. Private keys must be archived and protected.

Recovery Plans for Standalone Systems and Domains Without CAs


It will be difficult to institute a plan for EFS file recovery based on end users' archival of EFS keys. Most users don't back up their data and aren't expected to do so. Data is often stored by policy on network servers and backed up by using automated programs and dedicated staff. When standalone systems are used to encrypt files with EFS, there is no centralized mechanism for archiving keys. (In a domain environment, other options exist.)

Unless EFS is restricted to a few users, it will be impossible to create a workable and sustainable EFS key archival plan.

Classic EFS, as implemented in Windows 2000, attempts to solve this problem by requiring the presence of a recovery agent before encryption can occur. On the standalone machine, this recovery agent is the local administrator. In the Windows 2000 domain, it's the first administrator who signed on after the first DC in the domain was dcpromoed. The recovery agent public key is used to encrypt every FEK; the recovery agent's private key can be used to recover all EFS-encrypted files. In a perfect world, there is no need for archived end-user encryption keys. The recovery agent can be used to recover EFS-encrypted files for which the original end user's keys are damaged or lost. For extra insurance, a recovery plan need only include the archival of the recovery agent keys. However, where all computers are standalone, archival of these keys presents the same problem that archiving end-user keys does: There is a unique recovery agent for each stand alone system. Furthermore, many of the reasons that can cause end-user keys to become damaged and lost can also impact recovery keys, so the archival of these keys is important. Windows XP and Windows Server 2003 standalone systems do not automatically create a recovery agent, and the existence of recovery agent keys is not necessary for encryption. In all cases, the recovery plan depends on the scrupulous archival and maintenance of asymmetric keys.

NOTE: Public Key Policy Resides at the Domain Level

Public key policy is configured at the domain levelthat is, recovery agents are created by default in the PKI policy of the domain. A forest-wide public key policy on recovery can be technically controlled by implementing PKI and controlling the assignment of recovery certificates.

Another problem with this plan is that on the standalone computer, the recovery keys are present on the local hard drive. That means that a Windows 2000 laptop has not only user keys but also recovery keys traveling right along with it. If the laptop is stolen, there are two chances to subvert the process and decrypt the files. If the password to either the user's account or the local administrator's account can be cracked, the thief has access to the file. The legitimate administrator also has free and easy access to encrypted files, either as recovery agent or by changing the password of the user account and logging on as the user.

Windows XP Professional and Windows Server 2003 attempt to correct this issue by removing the requirement for a recovery agent. This means that XP Professional in a domain will use a recovery agent if one is present, but a standalone Windows XP system does not have a recovery agent. Another change in Windows XP Professional and Server 2003 is that on a standalone machine, if an administrator resets the user's password, the association with the public key set is lost. Even though the administrator can now log on as the user, he cannot decrypt the files. (Should this accidentally occur, if the user has a password reset disk, she can use it to reset the password to the original one and thus can decrypt her files.) Ordinary password changes made by the logged on user do not cause a problem with EFS-encrypted files. In a domain, of course, the user's password may be reset with no ill effect.

The fact that there is no recovery agent in a standalone system means there is no fall back if the user's keys are destroyed or if the user forgets his password and doesn't have a password reset disk. The EFS- encrypted files cannot be decrypted. To ensure a recovery strategy, each user's EFS keys must be archived.

Recovery Policy and Disabling EFS


In Group Policy, the Encrypting File System policy can be used to disable EFS or to manage the recovery agent certificates. This policy is located in local or domain-based Group Policy in the Windows Settings, Security Settings, Public Key Polices container. The recovery agent certificate(s), if present, can be viewed in the policy, as shown in Figure 6-15. The certificate information shows the account assigned as the recovery agent. On a standalone Windows Server 2003 and Windows XP Professional computer, by default, there is no Encrypting File System policy recovery agent, as shown in Figure 6-16. However, the property page of the policy can be used to disable or re-enable the use of EFS on the system.

Figure 6-15. In a domain, the EFS policy displays the recovery agent certificate(s).

[View full size image]

Figure 6-16. On a standalone system, the EFS policy remains empty unless a recovery agent is added.

Chapter 12.

In a Windows Server 2003 domain, implement certificate services and add key archival.

Disable EFS for each computer by modifying the registry of each standalone computer or by configuring the local Group Policy.


Delete the EFS Policy and Create an Empty Policy


1.

Click Start, Administrative Tools, Domain Security Policy.

2.

Expand Security Settings, Public Key Policies and select Encrypting File System.

3.

If a recovery agent certificate(s) is present, back up the certificates and private keys and store them in a safe place. Be sure to remove the private keys from the system. They may be needed to recover encrypted files or to implement a new recovery policy at a future date.

4.

Delete the certificates. (This is a "no recovery policy.")

5.

Right-click Encrypting File System and select Delete Policy.

6.

After deleting the policy, right-click the Encrypting File System and select Create empty Policy.


Disable EFS

Different techniques can be used to disable EFS. Some of them are dependent on the operating system.

To disable EFS for Windows 2000, delete the recovery agent certificate from the Local Security policy of a standalone system or from the domain public key policy of the domain GPO.

To disable EFS for a Windows XP Professional standalone system, right-click on the Local Security Policy, Public Key Policy, Encrypting File System and uncheck the box Allow users to encrypt files using Encrypting File System (EFS), as shown in Figure 6-17. This sets the registry key shown in the next bullet.

Figure 6-17. Clearing this box will disable EFS.

To disable EFS for a Windows Server 2003 standalone system, edit the registry value EfsConfiguration. (You may need to add the value.) The value 0x01 will disable EFS, while resetting it to 0 will enable EFS. The value is located at HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EFS\

If the system is joined in a domain, use Group Policy. The registry value is modified when the Property page of the Computer Configuration, Windows Settings, Security Settings, Public Key Policies, Encrypting File System folder is changed.

To disable EFS for Windows XP Professional and Windows Server 2003 systems joined in a Windows 2000 domain, you must either edit each machine's Local Security Policy or registry keys, or add the information to a security template and import the template into a GPO for the domain to automatically accomplish this.

To disable EFS for Windows XP and Windows Server 2003 clients in a Windows Server 2003 domain, you can change the Public Key policy of the domain GPO by right-clicking on the Encrypting File System policy and selecting Properties, and then clearing the check box for Allow users to encrypt files.


Tools for Recovering the Unrecoverable


For several years, there has been little help for users of EFS who failed to archive keys and develop and implement a reasonable recovery policy. Today, though, several products offer possible file recovery. These solutions, however, rely on the existence of the keys in the file system and knowledge of the user's password, or the ability to crack the user's password. Since many otherwise hopeless scenarios can provide this information, these products have met with some success. For example, if the operating system is reinstalled, it is possible that the original user's profile is still on the disk, even though it is impossible to reassociate the profile with any new account or gain access to old accounts. If the user still knows the password used with the now-defunct account, recovery may be possible using one of these tools. In addition, if forensic tools can be used to access data on the disk, even if the loss is the result of a hard disk crash, recovery may still be possible. Solving this problem resolves many of the legitimate "Help, I encrypted my files and now I can't access them" issues.

The tools are not going to be useful if the password is not known and cannot be deduced.

The following products may be useful in recovery of EFS-encrypted files.

Encase
A forensic program available from Guidance Software (www.guidancesoftware.com) has an EFS module available.

Advanced EFS Data Recovery
A commercial utility available for purchase from Elcomsoft (http://www.elcomsoft.com/aefsdrl).

EFS Key
A utility available from http://www.lostpassword.com/efs.

reccerts.exe
A Microsoft Product Support Services (PSS) tool (www.microsoft.com/support).



Best Practices for Recovery


When authorized individuals cannot decrypt critical, sensitive files, it can mean disaster. A sound recovery policy needs to be designed, implemented, and maintained. Following are several best practices to incorporate:Sharing Encrypted Files" later in this chapter for more information.

Have a policy in place for file recovery. The policy should require safe transport of encrypted files to an isolated recovery station, the use of a dedicated recovery agent certificate and private key that is not imported to the recovery station until needed for recovery, the use of cipher to decrypt the files, and safe transport back to the owner of the files and immediate encryption.


Are you confused as to what keys need to be present to ensure recovery? Trust me: If you aren't, it's only a matter of time before some well-meaning person confuses you by handing out the wrong information. Keep this in mind. The private keys are only needed for decryption. If recovery agent private keys are archived, their presence on the drive is not necessary. The recovery agent public key does need to be present, though. Without it, the FEK of the encrypted file cannot be protected for recovery. Likewise, if the user's private key is not present, encryption can occur, but the user will not be able to decrypt the file. If he saves a file in Word and then tries to open it, he will be unsuccessful. Don't let anyone tell you that you can remove the user's certificate and still encrypt the files. The public key, which is necessary for encryption, is on the certificate. Delete the certificate, and there can be no encryption. The private key, which is only necessary for decryption, is not part of the certificate.


/ 194