RE: issues with syskey in NT 4.0

From: Kolde, Jennifer E. (
Date: 12/03/02

  • Next message: jason d. montgomery: "RE: issues with syskey in NT 4.0"
    From: "Kolde, Jennifer E." <>
    To: 'Paul Greene' <>,
    Date: Mon, 2 Dec 2002 16:21:51 -0800 

    Hi Paul,

    The purpose of syskey is to further protect (encrypt) the weakly-encrypted
    passwords (LM hashes) in the SAM database. Using syskey protects the
    password hashes from LOCAL attack (i.e., someone able to access them off the
    server itself, either directly from the SAM or the backup copy in the
    \repair directory). It also protects the SAM on backup media, such as a
    backup tape or ERD.

    The main concern with syskey-enabled systems is that if the system key is
    lost or damaged, you will be unable to access the SAM database and your
    system is essentially useless. So, all caveats about backing up your system
    regularly apply here. There are no issues with application compatibility or
    syskey "breaking" anything as the password hashes are decrypted at boot time
    and available for access by the operating system.

    Other than backing up to protect the key, there are no major concerns. The
    system key can either be stored locally in the registry, which allows the
    system to boot normally (MS is not very forthcoming about where/how the key
    is stored); on a floppy, which must be provided at boot time; or in the form
    of a manually-entered password that must be provided at boot time.

    Storing the password locally is the 'least secure' (though I'm not aware of
    any way to extract the key, the possiblity of doing so exists) but most

    If it puts your clients' minds at ease, note that syskey is enabled *by
    default* on Windows 2000 and later, with the system key stored locally in
    the registry (you can run syskey from the command prompt on Win2K to change
    syskey's parameters and store the key on floppy or using a password).


    -----Original Message-----
    From: Paul Greene []
    Sent: Monday, December 02, 2002 11:13 AM
    Subject: issues with syskey in NT 4.0

    Is there any known issues with enabling syskey under NT 4.0? In other
    words, does enabling syskey break any functionality, or cause any other
    problems for either the operating system itself or for any application?

    (I'm having a bit of an argument with a client over enabling syskey; I'm
    strongly recommending they use it, but they don't want to for various
    reasons i.e. they're afraid it'll break something or cause other kinds
    of problems; I'm not aware of any issues that could justify their fears).

    Paul Greene

    Relevant Pages

    • RE: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and
      ... > protect the cache entries stored on the laptops. ... Without the SYSKEY ... > that booting with another OS would not give the attacker access to the ... files encrypted on NTFS partitions created in Windows 2000, ...
    • Syskey
      ... The paper and the tools don't describe/exploit any new vulnerability ... The paper describe the process Syskey use to encrypt the password ... registry and to dump the password hashes from a SAM database (like ...
    • Re: there are tools ...
      ... Yes, if the goal is to protect data from being stolen, use EFS. ... Syskey doesn't protect the "disk". ...
    • Re: SYSKEY does only protect the NTLM-Hash
      ... > I have installed syskey but i can still sniff the ... syskey should protect the lm-hash and the ... I have installed and enabled syskey (nt4sp6) but when i sniff the ...
    • RE: two questions that need answering
      ... that you can't just yank the SAM and start cracking when SYSKEY is installed ... The password portion of the SAM is now encrypted by a "stronger" ... If you want to get the real password hashes, then you need to use a tool ... Windows 2000 systems, as Windows 2000 uses ...