|
Subject: Issues with Windows 2000 Encrypting File System
and Disk Wipe
TO:<bugtraq@securityfocus.com>,
<ntbugtraq@listserv.ntbugtraq.com>
Microsoft has released a new tool to address issues with
Encrypting File System under Windows 2000 found by Colman
Communications Consulting.
Disclaimer
The information contained within this advisory is provided
as is with no warranty of fitness implied or otherwise.
By making
use of the information you agree to do so entirely at your own risk
and indemnify Colman Communications Consulting Pty Ltd against any
damage which may result.
Synopsis
The vulnerabilities present in EFS are summarised thus:
1. Files which are moved into an encrypted folder, or are
present as plain text prior to a directory being encrypted, have a
plain text copy made. In addition plain text fragments of the
original will also persist.
2. Third party disk wipe products do not effectively "zero"
unused disk space under Windows 2000.
Additional information and advice on how to mitigate these
risks is provided below.
Plain Text
Copies
When files which were previously in plain text are
encrypted using EFS, either by encrypting the file or the directory
the file is in, or by moving the file into a directory with EFS
applied, a plain-text (as distinct from cipher-text) copy of the
file is made on the disk. In addition to this plain-text fragments
of the original file may also persist.
In the case of the plain text copy this occurs because
Windows 2000 takes a temporary backup copy of the file prior to
encryption to ensure that it can recover the file should a system
error occur whilst the file is being encrypted. In terms of the file
fragments this is simply a reflection of the standard operation of
most operating systems where "deleted" files are not actually
overwritten, but simply de-allocated.
Depending on the usage of the system this presents the
possibility that the plain text copy and plain text fragments of the
original file could persist on the system's disk until such time as
the system has a need for the space and overwrites the data
contained there.
Access to the plain text copy or fragments could be
achieved by anyone who is able to obtain physical access to the
disk, and can mount the disk into another system. Access to the
plain text copy could also be achieved by an "Administrator" who is
able to load a device driver to speak directly to the disk.
When EFS is used in the recommended manner, that is files
are only created inside folders with EFS enabled the problem of
plain-text copies and fragments does not occur.
Organisations that are using EFS to help mitigate the risk
of physical security of systems should be aware of this issue and
act in accordance with the recommended mode of operation, and our
advice below.
Disk Wipe Products Fail To Wipe Disk The issue described
above is compounded by the fact that most third party disk wipe
products do not wipe the disks of Windows 2000 systems.
This effectively means that users are unable to clear plain
text copies of files they thought were encrypted, as well other
material they thought they had deleted, by using disk wipe products.
Organisations that are making use of disk wipe products to
manage risks related to "deleted" data under Windows 2000 should be
aware of this issue and act in accordance with our advice below, and
that provided by Microsoft.
Advice on
Mitigating Risk
Colman Communications Consulting has worked with Microsoft
to have these issues addressed. This work has resulted in a
commitment from Microsoft to place emphasis the behaviour of EFS and
writing a tool which can be used to wipe unused disk space on
Windows 2000 systems.
If you are
using EFS then you should ensure that:
- Your users are educated on the correct manner of
operating EFS so as to prevent the proliferation of plain text
copies.
- You install and run the cipher.exe tool on your systems
to ensure that any plain text copies and other sensitive "deleted"
information is zeroed.
The new version of cipher.exe along with install
instructions was orginally posted at:
http://www.microsoft.com/technet/security/cipher.asp
At the time of posting this page is temporarily unavailable
due to a revamp of the Microsoft Technet Area. However, the related
Microsoft Knowledge
Base Article can be found at:
http://support.microsoft.com/support/kb/articles/Q298/0/09.ASP
Credits
This advisory with additional advice for Australian
Commonwealth Government Agencies can be found at:
http://www.colmancomm.com/news/20010612efs.htm
Additional notes from Colman Communications Consulting on
using EFS can be found at:
http://www.colmancomm.com/resources/EFS_Guidelines.htm
Colman Communications Consulting is based in Canberra,
Australia, and specialises in IT Security for Industry and
Government.
Date: June 27, 2001
|