Deploying EFS Part

Document Sample
Deploying EFS Part Powered By Docstoc
					                                                                                                                    Security Watch

           Deploying EFS: Part 1
           John Morello

                                                                                                    A note on EFS security
           By now, everyone has heard reports about                                                 There are some applications that
                                                                                                    claim to be able to crack or break
           personal or sensitive data being lost because                                            EFS encryption. None of these appli-
                                                                                                    cations actually decrypt the AES (or
           of laptop theft or misplacement. Laptops                                                 Data Encryption Standard, DES, or
                                                                                                    Expanded Data Encryption Standard,
           go missing on a regular basis. With identity                                             DESX) encrypted ciphertext, but rath-
                                                                                                    er gain access to the user’s EFS private
           theft on the rise and regulatory compliance                                              key by brute-forcing the user’s pass-
                                                                                                    word. The important thing to keep
           more critical than ever, the thorough                                                    in mind about EFS encryption is that
                                                                                                    the private keys used to generate and
           protection of data on mobile computing                                                   protect the encrypted data utilise the
                                                                                                    Data Protection API (DPAPI). DPAPI
           systems is essential.                                                                    uses derivatives of a user’s logon cre-
                                                                                                    dentials to protect data so the end re-
           One answer is to use Encrypting File        an asymmetric (RSA) key pair. EFS en-        sult is that data protection with EFS
           System (EFS), included in Windows           crypts each file with its AES key, then      is only as good as the user’s password.
           since Windows 2000, which provides          encrypts this key with the user’s RSA        With Windows Vista, you can now
           built-in, high-performance, disk-based      key and stores the result in the file. For   store EFS encryption certificates on
           encryption. EFS integrates seamless-        more information on EFS cryptogra-           smart cards, which changes this para-
           ly with Windows Explorer so end us-         phy, see the ‘EFS resources’ sidebar. For    digm and greatly increases the relative
           ers often won’t even know when a file       now, I’ll focus not on the technical un-     security of EFS protected data.
           they’re using is encrypted. Additionally,   derpinnings of EFS but rather on how            How long does a password need to be
           EFS works equally well with native          to deploy it and make it viable in your      to be resistant to these attacks? Given
           Windows authentication and access-          environment. For this reason, the arti-      today’s hardware capabilities and mod-
           control technologies so that users don’t    cle assumes a prior knowledge of EFS         ern password attack algorithms, an 11-
           need to remember separate passwords         cryptography concepts.                       character or greater password (or, more
           to access their data. Finally, EFS pro-
           vides manageable options for recover-
           ing data in cases where a user may lose
           access to his encryption keys (such as
           if his user profile is deleted or damaged
                                                         EFS resources
           or his smart card is lost.)                   You can get lots more information on EFS particulars and best practices by visit-
              EFS uses the built-in cryptography         ing the following sites.
           technology in Windows to generate,              Why you shouldn’t be using passwords of any kind on your Windows
           store and deploy strong encryption              networks
           keys to protect data. In Windows XP   
           Service Pack 1 (SP1) and later versions,        Implementing Key Archival Walkthrough
           EFS utilises the Advanced Encryption  
           Standard (AES) algorithm with a 256-            Encrypting File System in Windows XP and Windows Server 2003
           bit key to encrypt data on disk. These
           symmetric keys are then protected with

                                                                                                                     TechNet Magazine April 2007   73

73_77_security_UK_desFIN.indd 71                                                                                                                   27/3/07 14:05:44
                                                                        crypted data to a designated adminis-        using key recovery, to provide a back-
                                                                        trator known as a Data Recovery Agent        up mechanism for key loss events. This
                                                                        (DRA), who can then either decrypt           also allows large organisations to have
                                                                        that data and return it to the user or re-   a distributed recovery system where
                                                                        encrypt it for use with a new private        local IT administrators can recover
                                                                        key. The DRA works as a shadow to the        users’ data without having to ever in-
                                                                        user’s encryption process whereby ev-        volve the PKI administrators group.
                                                                        erything that the user encrypts with            Another potential benefit of using
                                                                        his key is also encrypted with a copy of     a PKI with EFS is to facilitate easier
                                                                        the DRA key. Thus, when the user’s key       sharing of encrypted files. Recall that
                                                                        is lost, the DRA can step in, get the ci-    EFS is not limited solely to laptop sys-
                                                                        phertext data, apply the DRA key to it       tems; it can be equally valuable in any
                                                                        for decryption (or re-encryption), and       situation where the physical securi-
                                                                        then return the data to the user. The        ty of a computer cannot be guaran-
                                                                        DRA approach works well, but can be          teed. In these situations, there may be
           Figure 1 EFS with Key Archive
                                                                        difficult to manage if the user has en-      a need for multiple users to access the
                                                                        crypted large amounts of data or does        same encrypted data. While Windows
           correctly, passphrase) is recommended.                       not have local IT staff to act as DRAs.      support for sharing encrypted files is
           An 11-character or longer passphrase                                                                      somewhat limited because it only al-
           is highly resistant to today’s most ad-                                                                   lows for sharing individual files, not
           vanced methods, including precom-                                                                         directories, it can be a useful tool. To
           puted hash attacks (such as Rainbow                                                                       facilitate sharing of EFS files, the user
           Table; see the blog posting ‘Why you                                                                      who is sharing the file must have ac-
           shouldn’t be using passwords of any                                                                       cess to the public keys of the users
           kind on your Windows networks’ list-                                                                      he is sharing with (which is easiest if
           ed in the ‘Resources’ sidebar for more                                                                    those users have a valid EFS certificate
           information).                                                                                             published to their account in Active
                                                                                                                     Directory). While it is possible to per-
           To PKI or not to PKI?                                                                                     form this publishing manually, using a
           One of the most common miscon-                                                                            Windows CA installed in Enterprise
           ceptions about EFS is that it requires                                                                    (Active Directory-integrated) mode
           a public key infrastructure (PKI) to                                                                      makes the process fully automated.
           work. While EFS can easily inte-
           grate with and take advantage of a                                                                        EFS key management
           PKI should your organisation already                         Figure 2 Supersede the basic EFS             If you have a Windows Server 2003-
           have one, it is by no means a require-                                                                    based PKI available to use, generat-
           ment. That said, the decision regarding                                                                   ing users’ EFS certificates is a simple
           whether or not to use a PKI in your                            Key recovery, on the other hand, re-
           EFS deployment will impact many fu-                          quires that the CA make a copy of the
           ture deployment decisions, so it should                      user’s encryption key during the key
           be examined first.                                           creation process and securely store
              The primary advantage of using a                          the copy of that key in the CA’s da-
           PKI with EFS is the ability to perform                       tabase. Then, when a user loses access
           key archival and recovery. Whereas                           to encrypted files, the CA administra-
           EFS alone will allow administrators                          tor only needs to go into this data-
           to perform data recovery, automat-                           base and retrieve the user’s key. At that
           ic key recovery is only available with                       point, the user will immediately have
           a PKI, and even then, only when run-                         access to his data again without hav-
           ning Windows Server 2003 Enterprise                          ing to have a DRA recover it for him.
           Edition as your Certificate Authority                        When done this way, key recovery
           (CA). Data recovery is the process in                        can be faster and more efficient. Note,
           which a user who loses access to his                         however, that a best practice is to al-
           encryption key can provide his en-                           ways have DRAs in place, even when           Figure 3 Setting EFS user permissions

           74   To get your FREE copy of TechNet Magazine subscribe at:

73_77_security_UK_desFIN.indd 72                                                                                                                           27/3/07 14:05:45
           process. A Windows Server 2003 CA            your CA and your CA will automati-          6. The IT administrator must now
           comes with a default set of certificate      cally archive his private key.                 have two sets of DRA certificates:
           templates, including one called Basic                                                       the new ones for any files touched
           EFS. However, this template is a ver-        DRA key management                             since Step 3 and the old one for any
           sion 1 template and does not support         The next question to consider if you           files not touched since then.
           key archiving. So, before making it          have a PKI in place is whether or not
           available on your CA, you will want to       to utilise CA-generated DRA certifi-           While it is possible for the IT admin-
           duplicate the template to create a new       cates. Why would you not want to            istrator to run a script after Step 3 to
           version 2 template (for example, you         use DRA certificates from your PKI?         update all files with the new DRA (us-
           could call it EFS with Key Archive, as       Consider a scenario where you have an       ing cipher.exe /u), this can be a time-
           shown in Figure 1). On this new tem-         issuing CA with a fairly short certifi-     consuming process. Also, to be clear,
           plate, go to the Request Handling tab        cate validity period (two years or less).   the DRA keypairs aren’t useless after
           and select the option to archive the         That CA will not be able to issue any       they’ve reached their expiration date,
           user’s encryption key. Note that you’ll      certificates with validity lifetimes lon-   although the EFS component will not
           need to have key archiving properly          ger than its own, which would mean          allow any new encryption operations
           configured on the CA before enabling         that your DRA certificates would have       if an expired DRA certificate is includ-
           this option. The resources section in-       (at most) a two-year lifespan. This can     ed in its recovery policy. Old files en-
           cludes an excellent walkthrough of the       result in a significantly more complex
           process. You should also set this tem-       data recovery scenario. This hypotheti-
           plate to supersede the Basic EFS tem-
           plate to ensure that clients will use this
                                                        cal example is illustrated in the follow-   DRA keypairs
                                                        ing scenario.
           new version (see Figure 2).
              Next, you’ll need to set the proper
                                                                                                    should never be
                                                        1. A user encrypts a file in January
           permissions on the template to allow
           the right set of users to have enroll ac-
                                                           2006; the DRA certificates that are      discarded, even
                                                           pushed down to her machine via
           cess to it. Because the EFS component
           in Windows will automatically request
                                                           Group Policy have a two-year span        after their validity
                                                           (they expire in January 2008).
           a certificate the first time EFS is used,
           you do not typically need to allow us-
                                                        2. The user continues working with          lifetime has
                                                           EFS, encrypting new files.
           ers to autoenrol against the EFS tem-
           plate. In fact, I’d recommend against
                                                        3. In January 2008, the DRA certifi-        expired
                                                           cates expire and the administrator
           enabling autoenrolment for EFS cer-             then pushes down new certificates
           tificates unless you’re sure that all au-       via Group Policy.                        crypted with expired DRA keypairs
           toenroled users will be using EFS.           4. Any encryption operations from           can, of course, still be recovered by
           Figure 3 shows the EFS enrolment                here on utilise the new DRA certifi-     them. Thus, DRA keypairs should nev-
           settings. By issuing certificates to users      cates (including any files she opens     er be discarded, even after their validity
           who may never use EFS, you’re increas-          that were encrypted with the old         lifetime has expired; you simply don’t
           ing the size of your CA database for no         DRAs; when they’re saved, they’ll        know when you’ll need to use them.
           benefit. Though the CA database it-             utilise the new DRAs) but any files         For these reasons, I recommend that
           self isn’t limited in size, it can become       she does not touch going forward         environments that have CAs with short
           more difficult to manage (particularly          will still be protected only with the    certificate lifespans employ self-signed
           through the Microsoft Management                old DRAs.                                DRA certificates with longer lifespans.
           Console, or MMC) as you increase the         5. The user accidentally damages her        The cipher utility includes a switch (ci-
           number of certificates issued.                  profile and requires data recovery.      pher.exe /r) that automatically creates
              Finally, if you need to support the
           sharing of encrypted files, you may
           want to have the CA automatically
           publish the user’s certificate to Active
              Once you have configured the tem-
           plate properly on your CA, the first
           time a user goes to encrypt a file with
           EFS, he will get his certificate from        Figure 4 Running cipher /r

                                                                                                                      TechNet Magazine April 2007   75

73_77_security_UK_desFIN.indd 73                                                                                                                    27/3/07 14:05:45
           EFS recovery agent keypairs with a
           lifetime of 100 years (see Figure 4). The
                                                                        Once the key is                            to your CA administration team. Only
                                                                                                                   after the request has been carefully
           certificate from this keypair can then
           be attached to Group Policy Objects
                                                                        actually recovered,                        vetted should the recovery process be
                                                                                                                   initiated. Then, once the key is actual-
           (GPOs) and used as a DRA throughout
           your organisation. Because the EFS
                                                                        it should be                               ly recovered, it should be provided to
                                                                                                                   the user via a secure method (in oth-
           component does not check the trust
           chain of DRA certificates, these self-
                                                                        provided to the                            er words, not through e-mail) since the
                                                                                                                   recovered key provides access to all the
           signed certificates will work without
           having to make any changes to the list
                                                                        user via a secure                          user’s EFS-protected data.
                                                                                                                      Key Recovery Agent (KRA) keys are
           of Trusted Root Certificate Authorities
           on your systems. Regardless of the
                                                                        method                                     generated and held by CA administra-
                                                                                                                   tors and are not advertised via Group
           lifespan of an organisation’s CA, I al-                                                                 Policy. In fact, EFS itself can’t deter-
           ways recommend creating at least one                         encryption keys on the user’s behalf.      mine whether or not a key it utilises
           long-lived DRA certificate and attach-                       Obviously, this is a very sensitive and    has been archived; it simply performs
           ing it to a domain-wide GPO. This is                         powerful capability because it can al-     its encryption operations as it normally
           the fallback data recovery option to                         low a CA administrator to decrypt any      would. Additionally, the KRA keys cre-
           use in case all other options fail. This                     data in the organisation that utilises     ated on the CA are not specific to EFS
           is particularly vital if you’re using CA-                    a key signed by the CA. Thus, key ar-      in any way. A CA using key archiving
           generated DRA keys in the absence of                         chiving and recovery should be treat-      will have n number of KRA keys at-
           a CA key archive. Should a DRA cer-                          ed carefully and only a small number       tached to it at the CA level that will be
           tificate ever be compromised you can                         of trusted security personnel should       used to protect any key archived by the
           update the GPO with a new certificate                        be given this permission. Because of       CA. These keys can include those used
           and use cipher.exe /u as discussed ear-                      the sensitive nature of key recovery, if   with EFS, secure e-mail, or any other
           lier to update your files.                                   you’d like to rely on it as your prima-    certificate purpose that includes en-
                                                                        ry mechanism for regaining access to       cryption. KRA keys should be securely
           KRA and DRA deployment                                       EFS-encrypted data, it’s important to      stored by the individual key recovery
           Key archiving provides the ability for                       have a clearly defined escalation pro-     agents and there should be at least two
           CA administrators to recover escrowed                        cess for recovery requests to be sent      KRAs used to provide a fallback in case
                                                                                                                   one of the keys is lost.
                                                                                                                      The first time an administrator logs
                                                                                                                   on to the domain controller in a new-
                                                                                                                   ly created domain, a default recovery
                                                                                                                   policy will be created at the domain
                                                  ���-Year        ���-Year                                         level using a self-signed certificate and
                     Contoso Domain �              DRA A           DRA B                                           keypair stored in the administrator’s
                                                                                                                   profile on the DC. This DRA certificate
                                                                                                                   will have a validity lifetime of three
                                                                                                                   years. The recommended approach is
                                      Contoso                                                                      to remove this default certificate and
                                    North America
                                                                                                                   replace it with longer-lived self-signed
                                                                                                                   certificates or certificates issued from
                                                                                                                   your PKI. If you do not remove this de-
                                                                                                                   fault self-signed certificate, three years
                                                Contoso                                                            after its creation EFS will stop encrypt-
                                              North America Contoso NA Contoso NA                                  ing new files throughout your domain.
                                                   US        US DRA A   US DRA B
                                                                                                                   This is because the certificate will have
                                                                                                                   expired and EFS will prevent the en-
                                                                                                                   cryption of any further data when an
                                                               Contoso                                             expired DRA certificate is included in
                                                            North America
                                                                 US       Baton Rouge Baton Rouge                  its recovery policy. While it is possi-
                                                             Baton Rouge     DRA A       DRA B
                                                                                                                   ble to operate Windows XP and later
                   Figure 5 Multitier DRA deployment                                                               systems with no recovery agent policy

           76   To get your FREE copy of TechNet Magazine subscribe at:

73_77_security_UK_desFIN.indd 74                                                                                                                          27/3/07 14:05:46
           in place, this is strongly discouraged.     the true owner of the data. Once that        this key into his profile and would
           Doing so means that if a user loses ac-     is done, the DRA would load the DRA          then have immediate access to all his
           cess to his encryption key for any rea-     certificate, decrypt (and preferably re-     encrypted data.
           son and key recovery isn’t possible, all    encrypt) the data, and then send the            Because the DRA and KRA keypairs
           his data will be irrevocably lost.          data back to the end user. Some organ-       can be used to decrypt sensitive data,
              As I’ve said, DRA keys can be either     isations also choose to perform local        it’s important that they be proper-
           self-signed or issued from a CA. In         recovery, where the DRA would phys-          ly protected. DRA and KRA keypairs
           most cases, a hybrid approach is best,      ically visit the problem user, load his      should not be stored in the normal
           with at least two long-lived, self-signed   DRA keypair into the profile, then de-       desktop profiles of administrators (the
           DRAs used enterprise-wide as a recov-       crypt the data and remove the keypair.       profiles in which they do their nor-
           ery agent of last resort. Because DRA                                                    mal daily tasks). Rather, these keypairs
           certificates are deployed via Group                                                      should be safely stored offline on flop-
           Policy Objects, they possess the same       DRA and KRA                                  py, optical or flash media kept in a
           inheritance capabilities as other GPOs.                                                  physically secure location. Then, when
           In other words, the standard Local,         keypairs should be                           recovery is needed, the recovery agent
           Site, Domain, organisational unit (OU)                                                   can load the keypair onto a recovery
           GPO accumulation and application al-        safely stored offline                        workstation from this media, perform
           gorithm that controls the application                                                    the recovery operation, then remove
           of other GPO settings also applies to       on floppy, optical                           the keypair. In some particularly secu-
           DRAs. Thus, an organisation can easily                                                   rity-sensitive organisations, dedicated
           implement a tiered approach to DRAs,        or flash media kept                          workstations are designated for recov-
           where the central IT group has DRA                                                       ery to further increase the security of
           access to every part of the enterprise,     in a physically                              these keypairs, but this is not a require-
           but where local IT groups also main-                                                     ment for all organisations.
           tain the ability for their specific areas   secure location
           of responsibility. This is a particularly                                                Next time
           valuable asset in large, geographically                                                  Now that I’ve examined the key man-
           dispersed organisations since it allevi-    The user would then have access to the       agement, data recovery, and Active
           ates the need to transfer large amounts     data in plaintext form and could re-en-      Directory sides of EFS planning, I’ll
           of encrypted data over WAN links to         crypt it with a new key. It should be        focus on client-side deployment ques-
           facilitate data recovery. Figure 5 illus-   noted that this approach is far less se-     tions in Part 2 of this topic, coming
           trates a typical DRA deployment with        cure because the DRA keypair is cop-         soon. There I will cover topics such as
           multiple tiers.                             ied (though temporarily) to the local        controlling EFS usage through Group
              In this case, a user in the Baton        machine, but it can save some time,          Policy, choosing what to encrypt, au-
           Rouge OU would end up with six              particularly if a great deal of data must    tomatically encrypting data through
           DRAs for each encrypted file: two from      be recovered.                                logon scripts, and client-side enhance-
           his local administrators, two from the         Note that if recovery were to be pro-     ments for Windows Explorer to make
           North America IT group and two from         vided to the user through key archiving      working with EFS-protected data
           the domain level. Thus, if the user was     and recovery, the recovery request           even easier.                         ■
           to lose access to his encrypted data,       would be handled entirely separately
           he could have it recovered by a local       from this process. Instead of utilising
           DRA in Baton Rouge or by the North          a DRA at all, the user’s key recovery re-
           America IT group. As a final fallback,      quest would go to the CA administra-
           if these four DRAs were unavailable         tors, who must vet the request, then         John Morello graduated summa
           or lost, the domain-level DRAs could        go into the archive and retrieve the us-     cum laude from LSU and has been with
           take over and recover the data as well.     er’s private key. They would then make       Microsoft for six years in a variety of
           Regardless of which DRA performed           this private key available to the user se-   roles. As a Senior Consultant, he has
           the recovery, the process would be es-      curely, such as by placing it on a secure    designed security solutions for Fortune
           sentially the same. The user would first    Web site for download. (If the user          100 enterprises and Federal civilian and
           make the data available to the DRA.         was taking advantage of a smart card         defence clients. He’s currently a Program
           It’s important that the DRA take the        to store his EFS key, available with         Manager in the Windows Server group
           necessary steps to ensure that the re-      Windows Vista, then that key should          working on security and remote access
           quest is legitimate and coming from         also be reissued.) The user would load       technologies.

                                                                                                                      TechNet Magazine April 2007   77

73_77_security_UK_desFIN.indd 75                                                                                                                    27/3/07 14:05:46

Shared By: