Protect the Account Database with SyskeyPasswords in the password database are encrypted. Syskey is a utility that is used by default to provide additional protection. The Syskey utility does the following:Encrypts the password database with a 128-bit cryptographically random encryption key.Encrypts the password encryption key with a system key.Allows storage of the system key in three different ways.If configured in "not stored" or "stored on floppy disk" mode, Syskey can protect the system from unauthorized reboot. There are three options for the storage of the system key:Locally A system key is generated by the system and stored on the hard drive using a complex obfuscation algorithm. No intervention is needed at startup. This is the system default.Not stored The password must be entered at startup. The administrator implementing this option chooses a system key. If the key is forgotten, the system cannot be started. Password length can be up to 128 characters.Stored on a floppy disk A system key is generated by the system and stored on a floppy disk. The floppy disk must be present for the system to start up. If the disk is lost or damaged, the system cannot be started. (Backups, of course, are recommended.) The Syskey utility, which is an option in Windows NT 4.0, is used by default on Windows 2000 and Windows Server 2003 and cannot be disabled. An administrator, however, may change the storage location of the system key. Without the system key, the system cannot function because the password database will be inaccessible.If the storage option for the system key is changed and the password is forgotten or the floppy disk is not available, the passwords in the SAM and other information will not be available. To recover, you will have to restore the SAM and SYSTEM hives of the registry to the condition they were in before the storage location was changed. Therefore, the best practice is to make a backup of the system state prior to changing the storage location of the system key. You should also be aware that other system-based changes and local account changes made since the storage location change will also be lost when these hives are restored.To modify the system key storage location follow these steps:
Although the main purpose of the Syskey utility is to protect the SAM, additional Windows components are affected. Specifically the following steps occur:The SYSTEM and the SAM hives of the registry are changed. (The SAM is encrypted, and the SYSTEM hive now contains information on the option used.) If you need to recover (if you lost the key or floppy disk), both hives should be repaired. If they are not, the system may attempt to boot using the wrong informationit may think a floppy disk is required, for example, when the password is actually stored locally.A master key is created to protect private keys.Protection keys for user passwords are stored in the Active Directory.A protection key is created for the Administrator password used to start the system in Safe Mode.Protection keys for the LSA Secrets storage area are created. LSA Secrets is an area where sensitive cryptographic information such as users' EFS keys and the passwords of service accounts are stored. |