File system access
A lot of important information is stored not only on the file server, but also on the user’s workstations. And this data can easily be lost or disclosed if certain measures are not taken. First of all, it is recommended to use the NTFS file system for the system partition of the hard disk and the partition where critical data is stored, which provides a number of additional data protection features.
One of these features is access control. Using access control lists (ACLs), a user can restrict access to their data hosted on a computer. Access control lists allow you to restrict access to files for a specific user, computer, or user group. When setting permissions, the access level is set for groups and users. For example, one of the users is allowed to read the contents of the file, the other is allowed to make changes to the file, and all other users are denied any access to the file.
This is necessary if several users work on one computer or the company’s network does not have restrictions on registering users on certain computers and any domain user who has physical access to the computer’s console can register on it.
Windows 2000 uses the fifth version of NTFS. One of the new features of this version of the NTFS file system is the Encrypting File System (EFS). The EFS encryption system is based on the Public Key Infrastructure (PKI) and allows you to encrypt files and folders (Fig. 6).
An encrypted file system is a means of protection against attacks aimed at obtaining data bypassing the operating system – by loading an alternative OS from removable media or by connecting a data hard drive to another computer. Even if someone else gets access to the encrypted file (for example, by stealing the computer or the disk on which this file is stored), he will not be able to decrypt the file and gain access to information. The EFS system is integrated with the file system, which complicates the attack on EFS and simplifies management.
There are certain restrictions on file encryption. Files and folders are not encrypted in compressed form. Before encrypting a compressed file or folder, you must unzip them. Files with the System attribute and files located in the root system folder C: Winnt are also not encrypted.
The operation of encrypting or decrypting files can be performed using the graphical interface in the file or folder properties dialog box by clicking the Advanced button, or from the command line using the cipher utility. The encryption key for the file is automatically generated especially for each file or folder. Then, the received key, in turn, is also encrypted with the user’s public key, as well as the public key of the EFS data recovery agent. This encrypted data is stored as NTFS attributes for each object.
The question arises – how to get access to the encrypted file or folders if the user who encrypted the data became ill or quit? To provide this feature in Windows 2000, there is an EFS data recovery agent. But the existence of such an opportunity makes life easier for attackers, since the default recovery agent is the local system administrator. And getting local administrator rights with an empty password, having physical access to a computer or hard drive, as described above – is very simple!
Another way to access encrypted files is to use the chntpw utility written by Peter Nordal-Hagen (see above) to change the password of the user who encrypted the data.
So, it remains only to boot and decrypt the data using the public key of the recovery agent or user. But is there really no way to protect against tampering with encrypted data?
Not everything is so bad – if the computer is a member of an Active Directory domain, then the recovery agent is not the local administrator, but the domain administrator and the EFS data recovery public key is stored in the Active Directory database, and not locally. If the user – the owner of the encrypted data is an Active Directory domain user, and not a local computer user, all of his budget data is also stored on the domain controller and it will not work to use it to crack EFS data.
If the computer is not used in the domain, but the default SYSKEY key usage mode is changed (see above), the attacker will also not gain access to encrypted EFS files, even if he logs on to the system. Indeed, in this case, the public keys of the user and the recovery agent are encrypted using the SYSKEY utility, the key of which is not accessible to the attacker.