Sunday, February 29, 2004 6:20 AM bart

Personal experience with syskey

Syskey.exe is a tool available in Windows Server 2003 (also available on Windows 2000 and XP) to encrypt the contents of the SAM Accounts Database. Why would you use this tool? Well, actually Windows (from Windows 2000 on) requires the encryption of password hashes when those are stored on the machine. However, the encryption key (which is randomly generated by the system) is stored locally on the machine, so if a hacker can take over the machine it will be possible to get the SAM database and the corresponding key which are somewhere on the filesystem. Syskey.exe enables you to move the key off the machine by storing it on a floppy disk or by setting a startup password which is required to boot the machine (appears right after the boot logo, before services are started etc).

Although this is a great feature to enhance the security of your server boxes even more, you should pay extra attention for the next points:

  • If you store the key on a floppy disk, be sure to have backups available! Without the key, you won't be able to boot the machine anymore. This can be a disaster because you'll need to re-setup the server and when you're using for example EFS (encrypted file system) you can forget to recover that data... If you loose the floppy, don't hesitate and disable the syskey immediately (a power failure which causes the machine to reboot can be a real disaster).
  • Terminal Services are not started yet when the floppy is asked or the password input prompt is displayed on the console. So, there is not way to reboot the machine remotely without having KVM-access or physical access to the machine. Be careful if you're using this feature on web servers which you're administering remotely because you don't have 24/24 - 7/7 physical access to the data center. When stored on a floppy, you need to press enter to continue with the startup, so having the disk inserted in the drive is no solution (and of course it is ridiculous to insert the key floppy in the machine :-)))).

My opinion, use those advanced features if you really need it but be sure to know exactly what you're doing! More info can be found on http://support.microsoft.com/default.aspx?kbid=310105.

Del.icio.us | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks

Filed under:

Comments

# Windows Vista Security - About Secure Startup, TPM, EFS, Syskey and much more

Wednesday, August 17, 2005 4:42 PM by TrackBack