Re: SysKey

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 06/09/04


Date: Wed, 09 Jun 2004 18:57:32 GMT

Syskey does use 128 bit strength though there was a vulnerability that at one
time required a patch. The two links below give more details.

http://www.microsoft.com/technet/security/news/efs.mspx
http://www.microsoft.com/technet/security/bulletin/fq99-056.mspx

I don't know the mechanics of AD database other than it is stored in ntdis.dit
and is much more secure that sam was. I do not know on any tool available that
can crack the ntdis.dit database offline, including LC5 and I spent about ten
minutes looking on Google. However that does not mean there is not a way now or
in the future and physical security of domain controllers and backup media is
important. There are much easier ways to compromise any domain including social
engineering, keyboard loggers, cameras, etc. It would make sense to disable
storing of lm hashes on domain controllers if possible and configure downlevel
domain clients such as W9X to use ntlmv2 authentication by using the Directory
Services Client/modifying the registry and configuring Domain and Domain
Controller Security Policy for lan manager authentication level to be at least
"send ntlmv2 responses only". That will reduce the risk of using lm
authentication over the network that can be easily sniffed and cracked. It is
much more difficult to crack ntlmv2 or kerberos hashes sniffed off of the wire.
By default kerberos will be used between W2000/XP Pro/W2003 computers in an AD
domain though fallback to ntlm/ntlmv2 will be used if necessary such as when an
IP address is used to locate a domain resource instead of name or the time skew
is greater then five minutes between domain computers. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656& -- may not
work if W9X computers are used to logon domain.
http://support.microsoft.com/default.aspx?scid=kb;en-us;239869

"faels" <dweingarten@firstam.com> wrote in message
news:ceeb10b.0406090628.5d9a2b8a@posting.google.com...
> Thanks for all of your feedback. What is the encryption level for
> items, passwords specifically, stored in Windows 2000/2003 active
> directory databases? If SysKey is already enabled, it should be
> 128-bit, right?
>
> We have a client that is inquiring, and we are curious ourseleves.
>
> Thanks again.