SafeGuard LAN Crypt v.3.13 and above.
Important: SafeGuard LAN Crypt v.3.13 retires on September, 30th 2010. We recommend you update your version as soon as possible – for further information please contact your Sophos sales representative.
Windows 2000 Professional, Windows XP
Can a system administrator access encrypted data?
Under certain circumstances a system administrator may be able to change a user's Windows logon password which then allows them to log on as that user. This could also give them access to files that were encrypted with LAN Crypt.
This is possible under Windows NT and Windows 2000 as long as Microsoft CSP is being used, and if the High security level is ==> not <== set for the certificates.
The system must be configured securely so that this weak point of Microsoft CSP cannot be exploited. You can do this in one of the three following ways:
1. Activate "high security“ in Microsoft CSP.
If you activate high security when importing the key an additional password prompt is displayed every time the LAN Crypt profile is loaded (after the Windows logon). The user can define this password themselves after the first time the key is imported. To activate this option, this Registry key is set on the client:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Utimaco\SafeGuard Universal Token Interface]
After logon the security level must be set to "High".
2. Use a smartcard or a token (because the private key is then stored on the data medium itself) or alternatively use a different CSP (for example, Entrust ESP and others).
3. Use Windows XP or higher.