Welcome to Sign in | Join | Help
in
Home Blog Forums

The Lazy Admin

Using Syskey to Secure Your Systems

Sponsor

Windows 2000, XP and 2003 includes a Security Accounts Management database that contains hashed copies of user passwords. The database is then encrypted and the encryption key is stored on the local machine. When you boot up the machine and attempt to log on locally the encryption key is used to gain access to the SAM database and verify the correct password has been entered.

Using syskey, we can move the encryption key to a floppy disk. Without the floppy disk inserted when logging on, the SAM database cannot be decrypted and logon to the local machine is impossible. From a command prompt type syskey. The first thing you should notice is that the Securing the Windows Account Database, encryption is enabled and in fact, cannot be disabled. 

Click update to continue. Here we have two choices, Password Startup, or System Generated Password.

If we select Password Startup you will be required to enter a password when starting Windows. What we want to do is select System Generated Password and then select Store Startup Key on Floppy Disk. This will move the SAM database encryption key off the local machine and place it on a floppy disk. The floppy disk will need to be inserted in order to log on.

If you are rebooting remotely someone will need to be at the local machine to insert the floppy. Don't leave the floppy in the drive as this will eliminate the effectiveness :) You can move the encryption key back to the local machine anytime by running syskey again and selecting to store the password locally. You will need the floppy with the current key.

Beware, if you lose the floppy and don't have a backup of it, you will not be able to logon. If you reboot remotely, someone will need to be there to insert the floppy or you will not be able to logon. In other words you NEED the floppy in order to logon :) And DON'T leave the floppy in the drive as this will limit the effectiveness :)

If you are in doubt of wether syskey has been applied and you are logged on to the machine, a quick check of the registry will let you know. DO NOT change any of these values.

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

"SecureBoot" REG_DWORD 0x1 - syskey stored locally 0x2 - password startup 0x3 - syskey stored on floppy.





Published Friday, June 17, 2005 8:20 AM by rodney.buike

Comments

No Comments
Anonymous comments are disabled

This Blog

Powered By

 

Syndication

Sponsors

 
 
Get a free 5GB e-mail account @isalazyadmin.com

Affiliates

Canadian IT Professionals

Canadian IT Managers

Certifications & Awards


All postings are provided "AS IS" with no warranties, and confer no rights.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright TheLazyAdmin Inc. All Rights Reserved 2004-2008