Oct 11 2019 12:18 PM
Oct 11 2019 12:18 PM
Hi all, I'm looking for some advice.
We have a Windows server which contains some high security files that almost nobody in the organization should be able to open.
To store those files, we setup a special account, created a directory which only that account has access to, encrypted that directory with EFS under that account, archived the EFS keys to a USB key to be put in a safe deposit box, and deleted them from the server.
However, I believe that a regular domain administrator can just change the password on the account, login under that account, and get access to all those files. Am I wrong?
If I am not wrong, then how do we prevent that? Is there any way to prevent domain admins from having the ability to change passwords ? We need domain admins to have access to that server for
regular maintenance issues, performing upgrades of server applications, etc.
Thanks for your advice,
Oct 12 2019 07:36 AM
Oct 13 2019 10:05 PM
Oct 14 2019 12:58 AM
Oct 14 2019 03:11 AM - edited Oct 14 2019 04:32 AMSolution
@lewinr You don't need to prevent a password reset. EFS encrypts files with a private key that is stored and encrypted with the users accounts password. If someone resets the password of the user account, access to this private key will be lost and EFS encrypted files cannot be decrypted.
Your method already protects against administrative accounts.
That being said, for high security you have to think about other attack scenarios that could potentially be a breach: stealing the password (key logger for example) or stealing the hash and cracking the password would be the first two that come to mind. Both can be done from someone that has administrative privileges on the mentioned server.
To protect against this kind of attacks you have different options:
To sum it up for your service-account case:
The following is just for information and will not necessarily help you with your special case (service account needs access):
Additionally you can use Bitlocker instead of EFS to protect sensitive data. Use a separate Data-Volume (physical or virtual disk, depending on the server) and encrypt this volume with Bitlocker. Make sure the only KeyProtector for this volume is a Smartcard certificate. Only the person owning the physical Smartcard can mount this volume and the private-key never touches the server. This way not even an administrator can access the encrypted volume without first stealing the physical Smartcard AND getting the PIN.
In both cases (EFS and Bitlocker) you have to double-check that no additional protectors are present. If some Administrator already implemented EFS-Recovery in the domain, you will always have an additional Recovery-Certificate placed on all EFS-encrypted files and the person with access to this recovery certificate can decrypt all EFS-encrypted files inside the domain. You can check this in the advanced properties -> details of an encrypted file.
Same goes for Bitlocker. Domain policies could be implemented that will place additional Keyprotectors on your Bitlocker-Volumes. Especially Bitlocker-Recovery-Certificates and Recovery Passwords which get sent to ADDS for storage would be a problem.
If you set up everything correctly, it is practically impossible for any administrative account to get access to your encrypted data.
Of course there is much more to this whole topic than can be written in a single post. This information should get you started in a good direction though. If you really have such high-value data in your company, and you don't have the expertise to implement high-security configurations, I recommend outsourcing this to a company with lots of experience in this field.
It is much to easy to misunderstand technologies or overlook something important. But if all you need is to lock out some normal admins from accessing specific files, you should be able to do so with the information above.
Oct 16 2019 02:41 AM
Vielen Dank für diese ausführliche Überlegungen, da ich auch bei uns im Unternehmen den Daten- und Serverschutz überprüfen muss. Zum Teil habe ich mir die gleichen Überlegungen gestellt, und der Firma vorgeschlagen die Domänen-Administator Konten auf so wenig wie möglich Admins zu vergeben (max.2), alles über Gruppenmitgliedschaften zu steuern, und auch lieber unsichere Clients wie XP oder win7 in eigene Bereiche auszulagern, bis die Umstellung auf win10 abgeschlossen ist.
Admin Gruppen gibt es zum Glück genug beim ADDS, um auch anderen Admins genug Rechte geben zu können.