COMMAND
EFS
SYSTEMS AFFECTED
Win2k
PROBLEM
Colman Communications Consulting issued following information.
The vulnerabilities present in EFS are summarised thus:
1. Files which are moved into an encrypted folder, or are present
as plain text prior to a directory being encrypted, have a
plain text copy made. In addition plain text fragments of the
original will also persist.
2. Third party disk wipe products do not effectively "zero" unused
disk space under Windows 2000.
Plain Text Copies
=================
When files which were previously in plain text are encrypted
using EFS, either by encrypting the file or the directory the file
is in, or by moving the file into a directory with EFS applied, a
plain-text (as distinct from cipher-text) copy of the file is made
on the disk. In addition to this plain-text fragments of the
original file may also persist.
In the case of the plain text copy this occurs because Windows
2000 takes a temporary backup copy of the file prior to encryption
to ensure that it can recover the file should a system error occur
whilst the file is being encrypted. In terms of the file fragments
this is simply a reflection of the standard operation of most
operating systems where "deleted" files are not actually
overwritten, but simply de-allocated.
Depending on the usage of the system this presents the possibility
that the plain text copy and plain text fragments of the original
file could persist on the system's disk until such time as the
system has a need for the space and overwrites the data contained
there.
Access to the plain text copy or fragments could be achieved by
anyone who is able to obtain physical access to the disk, and can
mount the disk into another system. Access to the plain text copy
could also be achieved by an "Administrator" who is able to load a
device driver to speak directly to the disk.
When EFS is used in the recommended manner, that is files are
only created inside folders with EFS enabled the problem of
plain-text copies and fragments does not occur.
Organisations that are using EFS to help mitigate the risk of
physical security of systems should be aware of this issue and
act in accordance with the recommended mode of operation, and our
advice below.
Disk Wipe Products Fail To Wipe Disk
====================================
The second issue described above is compounded by the fact that
most third party disk wipe products do not wipe the disks of
Windows 2000 systems.
This effectively means that users are unable to clear plain text
copies of files they thought were encrypted, as well other
material they thought they had deleted, by using disk wipe
products.
Organisations that are making use of disk wipe products to manage
risks related to "deleted" data under Windows 2000 should be
aware of this issue and act in accordance with our advice below,
and that provided by Microsoft.
SOLUTION
Microsoft has released a new tool to address issues with EFS under
Windows 2000 found by Colman Communications Consulting.
Colman Communications Consulting has worked with Microsoft to
have these issues addressed. This work has resulted in a
commitment from Microsoft to place emphasis the behaviour of EFS
and writing a tool which can be used to wipe unused disk space on
Windows 2000 systems.
If you are using EFS then you should ensure that:
- Your users are educated on the correct manner of operating EFS
so as to prevent the proliferation of plain text copies.
- You install and run the cipher.exe tool on your systems to
ensure that any plain text copies and other sensitive "deleted"
information is zeroed.
The new version of cipher.exe along with install instructions was
orginally posted at:
http://www.microsoft.com/technet/security/cipher.asp
At the time of posting this page is temporarily unavailable due
to a revamp of the Microsoft Technet Area. However, the related
Microsoft Knowledge Base Article can be found at:
http://support.microsoft.com/support/kb/articles/Q298/0/09.ASP