SafeGuard LAN Crypt Administration - Can a system administrator access encrypted data?

  • Article ID: 107142
  • Updated: 28 Sep 2010

Product
SafeGuard LAN Crypt v.3.13 and above.

Important: SafeGuard LAN Crypt v.3.13 retires on September, 30th 2010. We recommend you update your version as soon as possible – for further information please contact your Sophos sales representative.

Client OS
Windows 2000 Professional, Windows XP

Question
Can a system administrator access encrypted data?

Answer
Under certain circumstances a system administrator may be able to change a user's Windows logon password which then allows them to log on as that user. This could also give them access to files that were encrypted with LAN Crypt.

This is possible under Windows NT and Windows 2000 as long as Microsoft CSP is being used, and if the High security level is ==> not <== set for the certificates.

The system must be configured securely so that this weak point of Microsoft CSP cannot be exploited. You can do this in one of the three following ways:

1. Activate "high security“ in Microsoft CSP.

If you activate high security when importing the key an additional password prompt is displayed every time the LAN Crypt profile is loaded (after the Windows logon). The user can define this password themselves after the first time the key is imported. To activate this option, this Registry key is set on the client:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Utimaco\SafeGuard Universal Token Interface]
-> "CertUserProtected"=dword:00000001

After logon the security level must be set to "High".

2. Use a smartcard or a token (because the private key is then stored on the data medium itself) or alternatively use a different CSP (for example, Entrust ESP and others).

3. Use Windows XP or higher.


 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments