Click here to get back home

EFS and WebDAV - Secure Solution?! - Part 2
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
EFS and WebDAV - Secure Solution?! - Part 2 Jiriki 10-06-2006
Posted by Jiriki on October 6, 2006, 3:44 am
Please log in for more thread options
 Hello,

as I wrote in
http://groups.google.de/group/microsoft.public.windows.server.security/browse_frm/thread/094ebf41821513d9/791e05d4b9ac236b?tvc=1&

documents do no stay encrypted if you copy the file to a WebDAV folder
that is connected using a ssl connection (https). Everything works fine
as long as you use http only. ("files may be encrypted locally on the
client and then transmitted as a raw encrypted file to the WebDAV
server" see:
"http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx")

Today I learned that this is not a problem of the Internet Explorer
alone, it also happens if you use the Windows Explorer to connect to
the WebDAV folder. So I assume it is a weakness of the underlying
WebClient service.

Microsoft claims "EFS with WebDAV folders provides simple and secure
ways for individual and corporate users to share sensitive data across
insecure networks."

I'm not quite sure about that any more.

- Jiriki


Posted by karl levinson, mvp on October 6, 2006, 10:27 am
Please log in for more thread options
> Hello,
>
> as I wrote in
>
http://groups.google.de/group/microsoft.public.windows.server.security/browse_frm/thread/094ebf41821513d9/791e05d4b9ac236b?tvc=1&
>
> documents do no stay encrypted if you copy the file to a WebDAV folder
> that is connected using a ssl connection (https). Everything works fine
> as long as you use http only. ("files may be encrypted locally on the
> client and then transmitted as a raw encrypted file to the WebDAV
> server" see:
> "http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx")
>
> Today I learned that this is not a problem of the Internet Explorer
> alone, it also happens if you use the Windows Explorer to connect to
> the WebDAV folder. So I assume it is a weakness of the underlying
> WebClient service.
>
> Microsoft claims "EFS with WebDAV folders provides simple and secure
> ways for individual and corporate users to share sensitive data across
> insecure networks."
>
> I'm not quite sure about that any more.

You might email this issue to secure@microsoft.com. If it is a security
flaw, they will research it for free, tell you and fix it.

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info



Posted by Jiriki on October 10, 2006, 3:19 am
Please log in for more thread options
Hello,

thank you for your reply. I send the case to the email address today.

Actually I informed our Microsoft technical account manager about this
weakness. In return the technical support clerk send me a bill
(forecast) for 6 hours engineering and I wasn't willing to pay for it.
So they closed the case. That was really a bit disapointing.

- Jiriki


karl levinson, mvp schrieb:

> > Hello,
> >
> > as I wrote in
> >
http://groups.google.de/group/microsoft.public.windows.server.security/browse_frm/thread/094ebf41821513d9/791e05d4b9ac236b?tvc=1&
> >
> > documents do no stay encrypted if you copy the file to a WebDAV folder
> > that is connected using a ssl connection (https). Everything works fine
> > as long as you use http only. ("files may be encrypted locally on the
> > client and then transmitted as a raw encrypted file to the WebDAV
> > server" see:
> >
"http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx")
> >
> > Today I learned that this is not a problem of the Internet Explorer
> > alone, it also happens if you use the Windows Explorer to connect to
> > the WebDAV folder. So I assume it is a weakness of the underlying
> > WebClient service.
> >
> > Microsoft claims "EFS with WebDAV folders provides simple and secure
> > ways for individual and corporate users to share sensitive data across
> > insecure networks."
> >
> > I'm not quite sure about that any more.
>
> You might email this issue to secure@microsoft.com. If it is a security
> flaw, they will research it for free, tell you and fix it.
>
> --
> kind regards,
> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
> --------------------------------
> Microsoft Security FAQ:
> http://securityadmin.info


Posted by Jiriki on October 10, 2006, 3:19 am
Please log in for more thread options
Hello,

thank you for your reply. I send the case to the email address today.

Actually I informed our Microsoft technical account manager about this
weakness. In return the technical support clerk send me a bill
(forecast) for 6 hours engineering and I wasn't willing to pay for it.
So they closed the case. That was really a bit disapointing.

- Jiriki


karl levinson, mvp schrieb:

> > Hello,
> >
> > as I wrote in
> >
http://groups.google.de/group/microsoft.public.windows.server.security/browse_frm/thread/094ebf41821513d9/791e05d4b9ac236b?tvc=1&
> >
> > documents do no stay encrypted if you copy the file to a WebDAV folder
> > that is connected using a ssl connection (https). Everything works fine
> > as long as you use http only. ("files may be encrypted locally on the
> > client and then transmitted as a raw encrypted file to the WebDAV
> > server" see:
> >
"http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx")
> >
> > Today I learned that this is not a problem of the Internet Explorer
> > alone, it also happens if you use the Windows Explorer to connect to
> > the WebDAV folder. So I assume it is a weakness of the underlying
> > WebClient service.
> >
> > Microsoft claims "EFS with WebDAV folders provides simple and secure
> > ways for individual and corporate users to share sensitive data across
> > insecure networks."
> >
> > I'm not quite sure about that any more.
>
> You might email this issue to secure@microsoft.com. If it is a security
> flaw, they will research it for free, tell you and fix it.
>
> --
> kind regards,
> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
> --------------------------------
> Microsoft Security FAQ:
> http://securityadmin.info


Posted by karl levinson, mvp on October 20, 2006, 11:06 pm
Please log in for more thread options
That's wrong. You could escalate and demand a manager. I could be
mistaken, but it seems to me they should want to see if they can replicate
the security problem.

If you send it to secure@microsoft.com, they will never charge you.


> Hello,
>
> thank you for your reply. I send the case to the email address today.
>
> Actually I informed our Microsoft technical account manager about this
> weakness. In return the technical support clerk send me a bill
> (forecast) for 6 hours engineering and I wasn't willing to pay for it.
> So they closed the case. That was really a bit disapointing.
>
> - Jiriki
>
>
> karl levinson, mvp schrieb:
>
>> > Hello,
>> >
>> > as I wrote in
>> >
http://groups.google.de/group/microsoft.public.windows.server.security/browse_frm/thread/094ebf41821513d9/791e05d4b9ac236b?tvc=1&
>> >
>> > documents do no stay encrypted if you copy the file to a WebDAV folder
>> > that is connected using a ssl connection (https). Everything works fine
>> > as long as you use http only. ("files may be encrypted locally on the
>> > client and then transmitted as a raw encrypted file to the WebDAV
>> > server" see:
>> >
"http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx")
>> >
>> > Today I learned that this is not a problem of the Internet Explorer
>> > alone, it also happens if you use the Windows Explorer to connect to
>> > the WebDAV folder. So I assume it is a weakness of the underlying
>> > WebClient service.
>> >
>> > Microsoft claims "EFS with WebDAV folders provides simple and secure
>> > ways for individual and corporate users to share sensitive data across
>> > insecure networks."
>> >
>> > I'm not quite sure about that any more.
>>
>> You might email this issue to secure@microsoft.com. If it is a security
>> flaw, they will research it for free, tell you and fix it.
>>
>> --
>> kind regards,
>> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
>> --------------------------------
>> Microsoft Security FAQ:
>> http://securityadmin.info
>



Similar ThreadsPosted
Is Welfare Part of Capitalism? March 29, 2006, 11:16 pm
Prevent access to server for computers not part of domain January 22, 2007, 11:56 pm
WebDav, https and Encrypted file system September 20, 2006, 10:01 am
Hiding folders that a user does not have rights to access - WebDAV January 2, 2008, 2:37 pm
Re: Windows Media Player Remote Code Execution (923689) - sfpcopy. - sfpcopy.ex_ (0 Part File) July 6, 2007, 7:09 pm
Solution for securing VPN/IAS using 2-factor SMS Authentication June 11, 2005, 1:37 pm
IISADMPWD solution for AD expired password ? December 7, 2007, 10:30 am
Web Browser Password Change Solution Needed September 13, 2007, 10:56 am
Telnet session "Shell process may not have been launched" (Solution) June 21, 2005, 2:53 pm
how can I make money off my ultimate security solution for servers April 16, 2007, 4:32 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap