From: Thor (Hammer of God) (thor@hammerofgod.com)
Date: Mon Oct 03 2005 - 12:07:46 EDT
Actually, booting to an alt OS would easily allow access to the SAM- in your
case, it would be SYSKEY'd, so cracking it would not be an issue, but that's
why I was asking about what type of user mode is being used-- if you are
using local accounts, one could easily boot to an alt OS and replace the SAM
(reset the admin account.) In this case, since the local admin owns the EFS
recovery keys by default, the account could be used to read all the local
users files even if EFS'd. Oh, and thank you for the correction regarding
access to the LSA with password-on-boot SYSKEY... You are absolutely
correct; SYSKEY modes 2 and 3 do indeed encrypt the LSA- I was totally wrong
about that. Not withstanding that, the main point is to use domain accounts
vs local accounts to keep the "local admin" attack from being successful.
You could indeed export the local admin recovery keys, but using domain
accounts makes all that a moot point...
Just making sure you're using domain accounts (or will), or that you're
exporting the EFS recovery cert...
Also, you might want to address things like copying files around (possibly
removing EFS protection) or users just hibernating the lappy with your
users...
Good stuff...
t
----- Original Message -----
From: "Dufresne, Pierre" <PIERRE.DUFRESNE@MESS.GOUV.QC.CA>
To: <pen-test@securityfocus.com>
Cc: "Thor (Hammer of God)" <thor@hammerofgod.com>
Sent: Monday, October 03, 2005 7:44 AM
Subject: RE: Password "security" - was"Passwords with Lan Manager (LM) under
Windows" and "Whitespace in passwords"
> Thanks for your detailed answer.
>
> As I said, by using SYSKEY with a password-on-boot,
> I was hoping to protect the cache entries stored on the laptops.
> Without the SYSKEY password, the machine won't boot,
> so an attacker could not dump the cache (CacheDump) or get access to the
> LSA
> (LSADump2).
> I also assume that booting with another OS would not give the attacker
> access to the EFS files
> because AES is pretty strong, the cache entries are encrypted with a
> secret
> (NL$KM) which is stored in the
> LSA and the LSA is not accessible because the system key is
> password protected by a password which is not stored locally anymore.
> I don't assume my reasoning is foolproof, I just want to make sure
> deploying SYSKEY with a password-on-boot will render our laptops harder to
> penetrate.
>
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
> Sent: 30 septembre 2005 01:06
> To: Dufresne, Pierre; pen-test@securityfocus.com
> Subject: Re: Password "security" - was"Passwords with Lan Manager (LM)
> under
> Windows" and "Whitespace in passwords"
>
> Let's break this down a bit--
>
> I didn't pick up on the fact that you were concerned with laptop
> security--
>
> when you discussed SYSKEY'ing the SAM, I assumed a member/stand-alone SAM.
> But you can certainly SYSKEY the SAM of an XP box as well...
>
> Regarding laptop security, you're in the same boat as the rest of us.
> It's
> tough business to secure resident data and keep the box patched while
> making
>
> access easy enough for the user to get their jobs done without
> compromising
> security. My gut feeling is that it is so difficult that the majority of
> corporate laptop deployments are seriously lacking in security, and that
> the
>
> laptop represents one of the highest levels of threat and exposure to an
> organization. So let's chew on this one...
>
> First off, SYSKEY'ing the SAM of an XP lappy does not encrypt the cached
> pwd's in the LSA. It just changes the encryption level of the SAM
> accounts
> db itself. This is where the number of cached logons stored in the LSA
> comes in... If you are authenticating to the local account base on the
> box,
> you can set this to 0 without worry (because it does not come into play).
> However, if you are authenticating to a domain, (which I have to assume
> you
> are doing since cached logons are a concern) setting cached logons to 0
> will
>
> require a connection to a DC just to log on to the box-- something I don't
> see many people do on remote laptops using domain accounts. That being
> said, most deployments of EFS that I have seen, particularly in laptops,
> are
>
> based on domain accounts. The main reason being the fact that
> authentication is off-box, thus reducing the risk of local accounts
> compromising EFS encrypted files. You also can use the domain-based
> recovery certificate to access files should you have to take a user out
> back
>
> and shoot them. Hey, these things happen in the south.
>
> So, I would opine that using SYSKEY to secure local accounts on a laptop
> using EFS is a bit bulky, and that the associated administrative overhead
> to
>
> make it all work well is counter-productive... Of course, if any on the
> list
>
> are doing this with appreciable levels of success, please let us know what
> we are missing (what I'm missing, anyway.)
>
> Regarding passwords, just use pass phrases. This whole thread really got
> skewed in regard to that, I think. For one, a password with a whitespace
> in
>
> it is obviously more secure than one without, simply because it increases
> the keyspace. It doesn't matter what Cain and Able, or Adam and Eve for
> that matter, can do with it-- increased keyspace == increased overhead to
> crack. It's simple math. You'll hear all manner of war stories of people
> cracking this, cracking that, using rainbow tables here, LM cracks there,
> and a bag of Skittles on the other side. But most of that can be obviated
> by
>
> having simple, but long, pass phrases. Since Win2k, you've had the choice
> of using 1298 character passwords/phrases. Even if you catch an NTLM auth
> on
>
> the wire, a passphrase like "i have no farking idea what my password is."
> will take an eon to crack, even though it is all lower-case alpha with a
> period thrown in-- same with a SAM. Besides, if someone has camped out on
> your box and grabbed the SAM, you've got Bigger Problems (tm) anyway.
>
> In addition to easy pass phrases, I think a far more workable and viable
> solution for laptop data is the use of something like a PGP partition to
> store data. It's easy for the user, easy for the admin, and adds
> real-world
>
> security to remote data deployments...
>
> t
>
>
> ----- Original Message -----
> From: "Dufresne, Pierre" <PIERRE.DUFRESNE@MESS.GOUV.QC.CA>
> To: <pen-test@securityfocus.com>
> Sent: Thursday, September 29, 2005 6:19 AM
> Subject: RE: Password "security" - was"Passwords with Lan Manager (LM)
> under
>
> Windows" and "Whitespace in passwords"
>
>
>> Thanks for the advice,
>>
>> I am focusing on stolen laptops. With the password-on-boot SYSKEY
>> feature
>
>> I
>> was hoping to protect the cache entries stored on those machines.
>> The thing is, I was planning to make EFS available for the laptops (XP
>> sp1).
>> The problem is, if the attacker can crack the passwords (after dumping
>> the
>> cache entries with CacheDump), he gets access to the EFS files.
>> That's why this password security thread had me worry.
>> Thanks
>>
>> P.
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:01 EDT