Home page logo

basics logo Security Basics mailing list archives

Re: Windows EFS and Changing a Local Account Password
From: Derek Schaible <dschaible () cssiinc com>
Date: Mon, 17 Jul 2006 07:04:06 -0400

Hash: SHA1

It is my understanding that if a user changes their own password, then EFS functions normally. However, if a computer is a Domain Member and an Admin changes a local account password, the EFS encrypted files are no longer accessible. If a computer is not a Domain Member, then the Local Admin can reset a password and access EFS Encrypted Data.

The issue with the Domain computers is due to the need for a Domain- wide Key Recovery Agent (KRA) With a KRA Certificate, the security maintainer in the organization can access any EFS encrypted data. This prevents a company laptop, encrypted with EFS from being stolen where the Local Admin account is reset via a Viper-like tool. In this scenario, all EFS data is still secure. However, this protection is not afforded to stand-alone or workgroup systems.

Derek Schaible

On Jul 13, 2006, at 11:36 PM, winshel () camden rutgers edu wrote:

Thanks for the replies. I thought I had read somewhere that changing the local account password could lock you out since the encryption was based on the password. I may have misunderstood.

Thanks again for the responses.

Version: GnuPG v1.4.1 (Darwin)


This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]