RE: issues with syskey in NT 4.0

From: Kolde, Jennifer E. (jkolde@nosc.mil)
Date: 12/03/02

  • Next message: jason d. montgomery: "RE: issues with syskey in NT 4.0"
    From: "Kolde, Jennifer E." <jkolde@nosc.mil>
    To: 'Paul Greene' <techlists@comcast.net>, focus-ms@securityfocus.com
    Date: Mon, 2 Dec 2002 16:21:51 -0800 
    
    

    Hi Paul,

    The purpose of syskey is to further protect (encrypt) the weakly-encrypted
    passwords (LM hashes) in the SAM database. Using syskey protects the
    password hashes from LOCAL attack (i.e., someone able to access them off the
    server itself, either directly from the SAM or the backup copy in the
    \repair directory). It also protects the SAM on backup media, such as a
    backup tape or ERD.

    The main concern with syskey-enabled systems is that if the system key is
    lost or damaged, you will be unable to access the SAM database and your
    system is essentially useless. So, all caveats about backing up your system
    regularly apply here. There are no issues with application compatibility or
    syskey "breaking" anything as the password hashes are decrypted at boot time
    and available for access by the operating system.

    Other than backing up to protect the key, there are no major concerns. The
    system key can either be stored locally in the registry, which allows the
    system to boot normally (MS is not very forthcoming about where/how the key
    is stored); on a floppy, which must be provided at boot time; or in the form
    of a manually-entered password that must be provided at boot time.

    Storing the password locally is the 'least secure' (though I'm not aware of
    any way to extract the key, the possiblity of doing so exists) but most
    convenient.

    If it puts your clients' minds at ease, note that syskey is enabled *by
    default* on Windows 2000 and later, with the system key stored locally in
    the registry (you can run syskey from the command prompt on Win2K to change
    syskey's parameters and store the key on floppy or using a password).

    Regards,
    Jennifer

    -----Original Message-----
    From: Paul Greene [mailto:techlists@comcast.net]
    Sent: Monday, December 02, 2002 11:13 AM
    To: focus-ms@securityfocus.com
    Subject: issues with syskey in NT 4.0

    Is there any known issues with enabling syskey under NT 4.0? In other
    words, does enabling syskey break any functionality, or cause any other
    problems for either the operating system itself or for any application?

    (I'm having a bit of an argument with a client over enabling syskey; I'm
    strongly recommending they use it, but they don't want to for various
    reasons i.e. they're afraid it'll break something or cause other kinds
    of problems; I'm not aware of any issues that could justify their fears).

    Paul Greene