SafeGuard LAN Crypt Administration - Can a system administrator access encrypted data?

  • Article ID: 107142
  • Updated: 02 Oct 2014

Product
All supported versions of SafeGuard LAN Crypt Client.

Client OS
All supported operating systems

Question
Can a system administrator access encrypted data?

Answer
Under certain circumstances a system administrator may be able to change a user's Windows logon password which then allows them to log on as that user. This could also give them access to files that were encrypted with LAN Crypt.

This is possible as long as the Microsoft CSP is being used, and if the High security level is ==> not <== set for private key access.

The system must be configured securely so that this weak point of Microsoft CSP cannot be exploited. You can do this in one of the three following ways:

1. Activate "high security“ in Microsoft CSP.

If you activate high security when importing the key an additional password prompt is displayed every time the LAN Crypt profile is loaded (after the Windows logon). The user can define this password themselves after the first time the key is imported. To activate this option, this Registry key is set on the client:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Utimaco\SafeGuard Universal Token Interface]
-> "CertUserProtected"=dword:00000001

After logon the security level must be set to "High".

2. Use a smartcard or a token (because the private key is then stored on the data medium itself) or alternatively use a different CSP (for example, Entrust ESP and others).

3. Use Windows XP or higher.


 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments