RE: issues with syskey in NT 4.0
From: Kolde, Jennifer E. (jkolde@nosc.mil)
Date: 12/03/02
- Previous message: Mike Coppins: "Re: issues with syskey in NT 4.0"
- Maybe in reply to: Paul Greene: "issues with syskey in NT 4.0"
- Next in thread: jason d. montgomery: "RE: issues with syskey in NT 4.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kolde, Jennifer E." <jkolde@nosc.mil> To: 'Paul Greene' <techlists@comcast.net>, focus-ms@securityfocus.com Date: Mon, 2 Dec 2002 16:21:51 -0800
Hi Paul,
The purpose of syskey is to further protect (encrypt) the weakly-encrypted
passwords (LM hashes) in the SAM database. Using syskey protects the
password hashes from LOCAL attack (i.e., someone able to access them off the
server itself, either directly from the SAM or the backup copy in the
\repair directory). It also protects the SAM on backup media, such as a
backup tape or ERD.
The main concern with syskey-enabled systems is that if the system key is
lost or damaged, you will be unable to access the SAM database and your
system is essentially useless. So, all caveats about backing up your system
regularly apply here. There are no issues with application compatibility or
syskey "breaking" anything as the password hashes are decrypted at boot time
and available for access by the operating system.
Other than backing up to protect the key, there are no major concerns. The
system key can either be stored locally in the registry, which allows the
system to boot normally (MS is not very forthcoming about where/how the key
is stored); on a floppy, which must be provided at boot time; or in the form
of a manually-entered password that must be provided at boot time.
Storing the password locally is the 'least secure' (though I'm not aware of
any way to extract the key, the possiblity of doing so exists) but most
convenient.
If it puts your clients' minds at ease, note that syskey is enabled *by
default* on Windows 2000 and later, with the system key stored locally in
the registry (you can run syskey from the command prompt on Win2K to change
syskey's parameters and store the key on floppy or using a password).
Regards,
Jennifer
-----Original Message-----
From: Paul Greene [mailto:techlists@comcast.net]
Sent: Monday, December 02, 2002 11:13 AM
To: focus-ms@securityfocus.com
Subject: issues with syskey in NT 4.0
Is there any known issues with enabling syskey under NT 4.0? In other
words, does enabling syskey break any functionality, or cause any other
problems for either the operating system itself or for any application?
(I'm having a bit of an argument with a client over enabling syskey; I'm
strongly recommending they use it, but they don't want to for various
reasons i.e. they're afraid it'll break something or cause other kinds
of problems; I'm not aware of any issues that could justify their fears).
Paul Greene
- Next message: jason d. montgomery: "RE: issues with syskey in NT 4.0"
- Previous message: Mike Coppins: "Re: issues with syskey in NT 4.0"
- Maybe in reply to: Paul Greene: "issues with syskey in NT 4.0"
- Next in thread: jason d. montgomery: "RE: issues with syskey in NT 4.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
