Protect Your Windows Network: From Perimeter to Data

The Case of the Stolen Laptop

It's a huge worry for all organizations. Maybe it's even happened to you (we hope not!). The fear of stolen laptops is palpable. The solution is simple, reallydon't let your laptop get stolen. Keep the thing with you at all times, or leave it in your hotel room when you don't want to carry it around. Yes, everyone's heard the warnings about hotel room theft, but neither of us has ever had something stolen from a hotel room and we spend well over 200 nights a year in hotels. (If you travel to a location where the general population has kleptomaniacal tendencies, stay in hotels that offer safes in the room.) You're far more likely to leave your laptop or PDA or smart phone or USB drive lying on the seat in the taxi or on the counter at the bar as you and your new friend depart for the evening.

Yes, there are places where theft is a possibility: conferences and airports are common. Even offices can be unsafe at times. We carry laptop locking cables in our computer bags and use them to lock our laptop to the table whenever we are presenting at conferences and need to be away from the roombut only if we believe the venue to be relatively safe. (Yes, we know this is a subjective judgment.) Occasionally, we don't do that; instead, we pack the computer back in its bag and carry it around if we judge theft to be a danger. At airports, the laptop is either in our lap or in its bag, and the bag is always in hand or on the floor within reach. Try not to fall asleep in the airport, that's what business class seats are for. If you absolutely must sleep at the airport, consider a motion-sensing alarm. But you might be more likely to trigger it yourself as you shift during your slumber.

Whatever you do, don't advertise the fact that you're laden with all the latest and coolest electronic gadgetry. Are you guilty of carrying a laptop, a PDA, a digital camera, an iPod, a mobile phone, and a GameBoy? [9] What do you carry all this in? Be discreet, maybe even invisible: avoid computer-branded carrying cases, Targus and Kensington bags or packs , or anything that gives away your love for all things transistorized. We aren't slamming these companiesindeed, they make many high-quality products. But to carry around bags with their logos is to invite unwanted attentionthieves know these companies sell thousands of logo-emblazoned carrying cases to business travelers carrying the latest desirable electronic gear. Instead, take your kid with you and go shopping for a backpack that'll hold everything you've got. It'll make you feel young againor at least be a useful educational experience, not to mention give you a chance to replace your shoulder-killing briefcase with something healthier and more ergonomic.

[9] Perhaps we should invest in the stock of battery manufacturers?

Yet, the mobility of laptops demands additional protection of the often critical and confidential data they store. Three features of Windows 2000 and Windows XP can help you keep your information out of the hands of a thief who somehow manages to get hold of your laptop: passwords, EFS, and SYSKEY. Do realize that if you use these features, you'll most likely frustrate the thief so much that he or she will destroy your laptop in anger and disgust; this is far preferable to seeing the development plans and source code of your next killer product posted on Slashdot.

NOTE: We specifically don't discuss ATA hard drive passwords here for two reasons. One, not all laptops expose a method for managing ATA passwords. Two, there is no recovery chance here: if you forget your password, you are out of luck.

Passwords

If your laptop is joined to a domain, then each time you boot iteven when you aren't physically on the corporate networkyou still have to enter your network password. Your computer keeps a set of "cached credentials" in your account profile on the hard drive, requiring you to authenticate before gaining access to your data. These credentials are first hashed with MD4, then again with MD5; the second hash creates what's called a "password verifier." Only the verifier is stored, protected by the computer's system key (see the section on SYSKEY below for the details) and is highly resistant to tampering.

If your laptop is standalone, you should still use a password for all local accounts on the computer. On non-domain-joined Windows XP computers, the Administrator account initially has no password. Local accounts that lack passwords can't be accessed at all over any networkonly when you're physically sitting in front of the computer. Although this is entirely appropriate for home PCs that never roam, it's completely inappropriate for laptops. Local accounts without passwords are like bright neon signs inviting an attacker to come help him or herself to all your information!

A password is required if you want to take advantage of the other two features we describe here. If you don't have passwords on your local accounts, there's really nothing else we can do to help protect your data from theft. And make sure that your password works all the time: some laptop computers don't engage the desktop lock when you put the computer into standby or hibernation modes. [10] Check the configuration of your laptops to ensure that a password is required when resuming. Unfortunately, this is probably not something you can control through Active Directory Group Policy.

[10] Toshiba laptops running Toshiba's custom power control software are one example.

Encrypting Files

Access control lists and permissions can help you protect files that are accessed over the network, but they can't stop someone who has physical access to your computer. Built in to Windows 2000, Windows XP Professional, and Windows Server 2003 is a technology called the encrypting file system (EFS). [11] EFS is transparent to the normal operation of a computeryou don't have to enter passwords to open files or subdirectories. When you log onto your computer, it opens your personal DPAPI master key. (See the section below on SYSKEY for details of key protection.) Then it unlocks your EFS encryption keys and stores them in memory. As you access files, EFS silently decrypts files using the private key associated with your EFS certificate and loads the decrypted file into memory. The file remains encrypted on the hard drive.

[11] This section is only an introduction to EFS to give you a basic understanding of how it works and why it's useful for protecting data kept on laptops. EFS is intricate and requires a thorough understanding to be managed properly. See Microsoft's Web site and Knowledge Base for more information and some very important best practices. Good starting places are "Encrypting file system in Windows XP and Windows Server 2003" (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/CryptFS.mspx) and http://www.microsoft.com/pki.

To encrypt files, just right-click the file or folder in Windows Explorer, choose Properties, in the Attributes section, click Advanced, and check Encrypt contents to secure data. Standalone (non-domain-joined) computers generate at least three things: an EFS digital certificate, an associated EFS public/private key pair (both keys are stored in your user profile; the public key is bound to the certificate), and a file encryption key (FEK). If you're encrypting a folder, every file in the folder has its own unique FEK. The folder itself isn't really encrypted, but only marked such that every file it contains will be encrypted. EFS encrypts each file with the file's FEK and then encrypts the FEK with your public EFS key. Future encryption operations generate only the FEKs because you already have an EFS key pair and certificate. We recommend you encrypt the entire My Documents folder so that anything kept in the folder is automatically encrypted.

Decryption runs in reverse: when you open an encrypted file, EFS first obtains the private key associated with your EFS certificate, uses that to decrypt the file's FEK, and then uses the FEK to decrypt the file. This all happens with no dialog boxes or user prompting and doesn't affect applications at all.

On domain-joined computers the behavior differs a bit. If you've implemented a PKI, rather than generating its own self-signed certificate, EFS first requests a certificate from an enterprise certificate authority (but only if that CA knows how to generate EFS certificates). Your computer generates the EFS key pair and associates the public key with the certificate. From there, the process is very similar, except that when you first encrypt a file the computer doesn't need to generate the EFS certificate or keys because you already have them. If you haven't implemented a PKI that knows EFS, or if the request to the CA failed, then the behavior for domain-joined computers is exactly the same as for standalone computers.

The actual file encryption algorithms differ between various versions of Windows. All versions of Windows 2000 support only expanded Data Encryption Standard (DESX). Windows XP RTM [12] can use either DESX (still the default) or Triple-DES (3DES). Windows XP Service Pack 1 (and later) and Windows Server 2003 support Advanced Encryption Standard (AES) plus DESX and 3DES. AES is the default.

[12] "Released to manufacturing," the original release before any service packs.

Recovering Encrypted Files

As you might imagine, using EFS presents some operational issues. You can lose access to encrypted files if you lose your EFS key or if you reset your password. (Password changes work fine, but password resets invalidate EFS keys on Windows XP.) A recovery policy designates one or more certificates to be recovery agents that can help in this situation. Recovery agents can access encrypted files. Windows 2000 mandates a recovery agent either locally or on the domain before you can encrypt files; Windows XP and Windows Server 2003 don't have this requirement.

On standalone Windows 2000 computers, the local administrator becomes the default recovery agent when someone first logs on to the Administrator account. Standalone Windows XP doesn't create a default recovery agent (which eliminates a reason to try to conduct offline attacks against the Administrator account). On domain-joined Windows 2000 and Windows XP computers with a domain EFS policy, the domain administrator is the default recovery agent (DRA). Usually, you'll create a group policy to designate specific certificates as recovery agents; when you do this, those agents replace the DRA.

When you encrypt files, each file's FEK is also protected by the public key of every recovery agent in the recovery policy. So if you lose your key or reset your password, a recovery agent can still access your files. This also proves useful when employees leave your organization; a recovery agent can access all that person's encrypted files and even remove the encryption if necessary. Note that the recovery agent has no access to your EFS keys, so the agent can't impersonate you. The agent can only decrypt files.

If you decide that EFS is valuable for your organization, we encourage you to investigate deploying a Windows PKI Server 2003 using autoenrollment . Auto-enrollment takes away all the usual human interaction required in managing a PKI, and for EFS you can create certificate templates that combine enrollment with key and data recovery methods (for example, simultaneously enrolling the user and archiving his or her private key). Key archival is a valuable supplement to EFS recovery agents.

EFS Security

Circumventing or cracking EFS is monumentally difficult. [13] Because each file is encrypted with its own key, which is in turn encrypted with the owner's EFS key, which is in turn protected by that user's DPAPI master key, which is in turn protected by the system startup key, breaking into protected files is nearly impossible . Installing a parallel copy of Windows or any other operating system and cracking the SAM won't get you the keys you need to decrypt files, because they aren't stored in the SAM.

[13] In 1999, some researchers wrote a paper describing purported vulnerabilities in EFS in Windows 2000. What they described were in fact not vulnerabilities but conditions that might result in certain poor configurations. The defaults and behavior of EFS were redesigned in Windows XP and Windows Server 2003 to reduce the likelihood of implementing insecure EFS deployments. See "Analysis of reported vulnerability in the Windows 2000 encrypting file system" (http://www.microsoft.com/technet/Security/news/analefs.mspx) for more details.

WARNING: Note the implication : if you aren't using a PKI, or haven't configured your PKI for key archival, you will lose access to your files if you don't back up your EFS certificate and keys! Use the CIPHER /X command-line utility to make your backups and be sure to store them away from the computerperhaps on a USB drive.

If you're using local recovery agents, it's important also to export the recovery agent's private key to separate storage and then remove the key from the computer. Again a good choice is a USB drive that's kept separate from the computer. Be sure to protect the exported key with a password (the export process prompts you for one). If a user loses his or her EFS private key, the recovery agent's key on the USB drive can recover the user's files.

There's a chance that EFS might leave plaintext "shreds" of a file on the hard drive. If you encrypt an individual file, EFS first creates a plaintext backup of the file, encrypts the file, and then deletes the backup. Of course, deleting the backup doesn't actually erase the bits from the surface of the disk, meaning that the plaintext contents are still there and could be recovered with disk editing tools. The command-line utility CIPHER /W will wipe unused drive space with three passes : first with 00, then with FF, and finally with random bytes. Better, of course, is to encrypt folders rather than files. All files in the folder remain encrypted all the time; no plaintext shreds are created. This is also important for applications that create temporary files.

Of course, an attacker with physical access could simply replace encrypted files, which would be an interesting form of a denial-of-service attack, but why would someone steal your computer, overwrite your files, and then return your computer? Yes, it can be entertaining to substitute a prank default.html on some unsuspecting Web server, but why would someone replace your marketing plans with pornography and then give you your laptop back? We doubt that's ever happened. Although EFS provides very strong and reliable confidentiality , it isn't designed to provide integrity . Indeed, encryption of any kind never provides integrity. Integrity comes from digital signature technology that usually computes a one-way hash of the content.

Enabling the System Startup Key

Each time a new user is added to a computer, the Windows Data Protection API (DPAPI) generates a master key that's used to protect all other private keys used by applications and services running in that user's context, such as EFS keys, S/MIME keys, and so on. The computer also has its own master key that protects system keys such as IPsec keys, computer keys, and SSL keys. All these master keys are then protected by a computer's startup key. When you boot a computer, the startup key decrypts the master keys. The startup key also protects the local security accounts manager (SAM) database on each computer, the computer's local security authority (LSA) secrets, account information stored in Active Directory on domain controllers, and the administrator account password used for system recovery in Safe mode.

The SYSKEY utility enables you to choose where that startup key is stored. By default, the computer generates a random key and scatters it throughout the Registry; a complex obfuscation algorithm ensures that the scatter pattern is different on every Windows installation. You can change this to one of two other choices: you can continue to use a computer-generated key but store it on a floppy disk, or you can have the system prompt during boot for a password that's used to derive the master key. You can always change between the three modes, but if you've enabled either the key-on-floppy or password modes and you've lost your floppy or forgotten your password, your only recovery option is to use a repair disk to restore the Registry to the state it was in before you enabled the SYSKEY mode. You'll lose any changes between then and now.

Changing SYSKEY to password mode can help protect stolen laptops from information theft. It provides yet another barrier between a determined thief and your data on the hard drive. SYSKEY passwords can range from 1 to 128 characters ; we recommend at least 12. The combination of EFS (to protect data) and SYSKEY passwords (additional protection for the EFS keys) can make it computationally infeasible for an attacker to access your data.

WARNING: There now exist at least two tools that can crack key-in-registry SYSKEY. They do, of course, require physical access to the machine, but since we're trying to protect against theft (which is physical access), an attcker can use these tools to obtain the SYSKEY encryption key. After an attacker does that, then he or she can obtain the password hashes of any local accounts in the computer's SAMdomain accounts don't exist in the SAM and are still protected. Therefore, on laptops with sensitive information (and really, isn't that all your laptops?), we strongly urge you to switch to password mode in SYSKEY. In this mode there's no key on the hard drive at all, so there's nothing for these tools to crack.

Категории