Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: efs3~1.txt

Win2000 EFS Vulnerability




    Win 2000


    Brandon Lay found following.  If a user encrypts Autoexec.bat on a
    Windows 2000  NTFS system  volume, no  user will  be able to logon
    locally or access resources shared on this computer remotely,  not
    even Administrator.

    Windows 2000 NTFS  volumes support the  Encrypting File System  as
    built-in functionality.   This is  a certificate-based  encrypting
    system.  Any  user  that  can  be  authenticated  and  has   Write
    permission  to  a  file,  such  as  Autoexec.bat  (default is Full
    Control) can  potentially encrypt  the file  by right-clicking  in
    Explorer, selecting Properties,  clicking on the  Advanced button,
    and selecting Encrypt Contents to Secure Data.  This functionality
    should be  seriously considered,  as files  encrypted by  one user
    cannot be shared with any other user (by default).  Regardless  of
    permissions or ownership, if you  encrypt a file, no one  else can
    "open" the file.   Of course, because  of this functionality,  one
    would  think  you  couldn't  encrypt  system  files.  Well, if you
    attempt  to  encrypt  the  Winnt  folder  or the system boot files
    (NTLDR,  NTDETECT.COM,  BOOT.INI),  you  will  be denied access to
    encrypt it.  This is good.

    However, there is no such  protection on Autoexec.bat.  Once  this
    had been done  to Autoexec.bat, the  next user to  attempt a local
    logon  will  see  the  dialog  box  with the message "Loading your
    personal settings..." and the system just sits there waiting.   My
    assumption  is  that  Autoexec.bat   is  parsed  for   environment
    variables on every logon.   Since the file has been  encrypted, it
    can't be  accessed unless  the user  who encrypted  it presents  a
    certificate.   The certificate  is stored  in the  user's profile.
    Catch 22.   The user's  profile hasn't  actually been  loaded yet,
    preventing access to the key certificate that may (as in the  case
    of the user who did the deed) decrypt the file.  Thus Autoexec.bat
    can't be read and somehow  prevents the system from continuing  to
    load the  user's profile.   So not  only does  this prevent  other
    users from  logging on,  but also  the user  who encrypted it, and
    any Recovery Agents (such as the Administrator account).

    Here is a summary of observances:
    1. After encrypting  Autoexec.bat and logging  off, you can't  log
       on, system hangs.
    2. If  you think  you will  remotely access  \\computername\c$ and
       decrypt it, forget  it. You can  connect, which takes  a while,
       but then the connection no longer responds.  In otherwords, you
       eventually see  the contents  of C$  in a  window, but it won't
       respond to any action.  This is odd, since onw would thought to
       understood  the   authentication  process,   that  access    to
       Autoexec.bat would cause remote connectivity problems.
    3. You  cannot  fix  in  any  of the following ways (all  tested):
       Through  remote  access,  safe  mode,  safe  mode  with command
       prompt.   We  are  going  to  assume  that the Emergency Repair
       process would do nothing for you, but this was not tested  yet,
       so don't quote.

    To Reproduce:
    Logon  locally  to  any  current  release  version of Win2k - Pro,
    Server, Advanced Server have been tested - with NTFS 5.0.  Log  on
    using any user account (local or domain) and encrypt  Autoexec.bat
    using the method described above. Log off, and attempt to log on.

    To Repair:
    Boot to  the Recovery  Console (refer  to article  Q229716 for the
    How-To),   log   on   to   your   Win2k   installation  using  the
    "administrator" password (must be THE Administrator account),  use
    the  CD  command  to  go  to  the  root  of  the drive, and delete
    Autoexec.bat.  Before deleting it, you can verify it is  encrypted
    by using the DIR command which shows all attributes for files  and
    folders.   On  Autoexec.bat,  you  will  notice  the "e" attribute
    appears.   Now if  you installed  the Winnt  folder on a different
    volume  than  your  active,  or  system,  volume, you will need to
    change drive letters and then delete the file.


    Numerous people pointed out how a good secure configuration  would
    prevent  this  problem  from  occurring  (by preventing users from
    being able  to modify  an AUTOEXEC.BAT  if present,  or preventing
    them from  creating one  through carefully  thought out  directory
    rights).  The most interesting so far came from Martin Holden  who
    referred to this KB article;

    wherein the key ParseAutoexec can  be found.  The key  may prevent
    the use of the AUTOEXEC.BAT file. The KB states;

      "When this value is 1, the environment variables declared in the
      Autoexec.bat file are included in the user's environment"

    The  Possible  Preventative  Solutions  (until  this  is hopefully
    fixed - Pick One):

        * Set  the  NTFS  Read  permission for Authenticated Users  on
          Autoexec.bat.  If you can't  write to it, you can't  encrypt
          it.  Remove any other permissions inherited or assigned.
        * Disable EFS on stand-alone Win2K machines.  To do this refer
          to Microsoft article Q243035.
        * Disable EFS domain-wide.  Refer to Microsoft article Q222022

    BTW, deleting the file (since apparently we don't need to have it,
    but  if  it's  there  we  need  to  read  it!)  doesn't give you a
    preventative solution.  As a  user could just create a  file named
    Autoexec.bat on you System partition and then encrypt it.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH