Do I need to use the SysKey utility to enhance the security?

Discussion in 'Security Software' started by cc, May 2, 2005.

  1. cc

    cc Guest

    For the Syskey, please refer to
    http://support.microsoft.com/kb/310105/

    Do I need to use the utility?

    What is the difference between Startup Password & Account Password & the
    password of BIOS?
     
    cc, May 2, 2005
    #1
    1. Advertisements

  2. See below.
    Well, "need" is always a relative term. Simply put, security is always a
    balance -- between usability (convenience), security (protection), and cost
    (sometimes including effort, not just money). This balance is different for
    different people and different applications. To find your balance, you need
    to do some risk analysis and risk management: what threats are you protecting
    against, what is the consequence if you fail, how much effort will it take
    to eliminate or reduce the threat.

    To give you a more useful answer: *I* have syskey active on my laptop, because
    it is mobile and not a member of a domain. I don't bother with syskey on
    the machine in my home office.
    Short answer:

    The BIOS password prevents people from starting your computer without the
    password, this would include booting from a cd or floppy. On the other hand,
    it is usually fairly easy to bypass the BIOS password (by removing the hard
    drive, or clearing the cmos).

    By startup password, you mean the "System Startup Key", sometimes just called
    the "syskey" or system key (syskey is also the name of the executable utility
    that controls how the system startup key is generated and stored and if it
    has to be entered manually). The syskey protects all of the system secrets.
    Think of it as a "grand master password". The sytem uses it to encrypt all
    sorts of things, but probably the most important is the representations of
    user's passwords that are stored on the system (note: I said "representation",
    not "password", and I know this is a bit simplistic as there are more details
    and various configurations). If the syskey is compromised, very bad things
    could happen. The good news is that it is fairly hard to compromise.

    The account password allows individual users to authenticate to the system,
    so that each user can be authorized for specific access to specific resources.

    Longer answer:
    Read Steve's article at http://www.microsoft.com/technet/community/columns/secmgmt/sm0205.mspx


    Hope that helps.

    - Byron Hyne
     
    Byron Hynes [MVP], May 2, 2005
    #2
    1. Advertisements

  3. cc

    cc Guest

    Thank you, Byron. I still have more questions about the syskey.

    1. "The startup key also protects the local SAM database on each computer
    and the administrator account password used for system recovery in safe
    mode."
    (Qouted from Steve's article.)

    2. "Changing SysKey to password mode can help protect stolen laptops from
    information theft." (Also qouted from Steve's article)

    Thank you again.


    "Byron Hynes [MVP]" <>
    ??????:...
    See below.
    Well, "need" is always a relative term. Simply put, security is always a
    balance -- between usability (convenience), security (protection), and cost
    (sometimes including effort, not just money). This balance is different for
    different people and different applications. To find your balance, you need
    to do some risk analysis and risk management: what threats are you
    protecting
    against, what is the consequence if you fail, how much effort will it take
    to eliminate or reduce the threat.

    To give you a more useful answer: *I* have syskey active on my laptop,
    because
    it is mobile and not a member of a domain. I don't bother with syskey on
    the machine in my home office.
    Short answer:

    The BIOS password prevents people from starting your computer without the
    password, this would include booting from a cd or floppy. On the other hand,
    it is usually fairly easy to bypass the BIOS password (by removing the hard
    drive, or clearing the cmos).

    By startup password, you mean the "System Startup Key", sometimes just
    called
    the "syskey" or system key (syskey is also the name of the executable
    utility
    that controls how the system startup key is generated and stored and if it
    has to be entered manually). The syskey protects all of the system secrets.
    Think of it as a "grand master password". The sytem uses it to encrypt all
    sorts of things, but probably the most important is the representations of
    user's passwords that are stored on the system (note: I said
    "representation",
    not "password", and I know this is a bit simplistic as there are more
    details
    and various configurations). If the syskey is compromised, very bad things
    could happen. The good news is that it is fairly hard to compromise.

    The account password allows individual users to authenticate to the system,
    so that each user can be authorized for specific access to specific
    resources.

    Longer answer:
    Read Steve's article at
    http://www.microsoft.com/technet/community/columns/secmgmt/sm0205.mspx


    Hope that helps.

    - Byron Hynes
     
    cc, May 2, 2005
    #3
  4. cc

    cc Guest

    But there are tools readily downloadable from the Internet that can that
    allow a theft to access a disk protected
    by syskey.So EFS is a better method of preventing information being stolen?

    "cc" <> дÈëÏûÏ¢ÐÂÎÅ:...
    Thank you, Byron. I still have more questions about the syskey.

    1. "The startup key also protects the local SAM database on each computer
    and the administrator account password used for system recovery in safe
    mode."
    (Qouted from Steve's article.)

    2. "Changing SysKey to password mode can help protect stolen laptops from
    information theft." (Also qouted from Steve's article)

    Thank you again.


    "Byron Hynes [MVP]" <>
    ??????:...
    See below.
    Well, "need" is always a relative term. Simply put, security is always a
    balance -- between usability (convenience), security (protection), and cost
    (sometimes including effort, not just money). This balance is different for
    different people and different applications. To find your balance, you need
    to do some risk analysis and risk management: what threats are you
    protecting
    against, what is the consequence if you fail, how much effort will it take
    to eliminate or reduce the threat.

    To give you a more useful answer: *I* have syskey active on my laptop,
    because
    it is mobile and not a member of a domain. I don't bother with syskey on
    the machine in my home office.
    Short answer:

    The BIOS password prevents people from starting your computer without the
    password, this would include booting from a cd or floppy. On the other hand,
    it is usually fairly easy to bypass the BIOS password (by removing the hard
    drive, or clearing the cmos).

    By startup password, you mean the "System Startup Key", sometimes just
    called
    the "syskey" or system key (syskey is also the name of the executable
    utility
    that controls how the system startup key is generated and stored and if it
    has to be entered manually). The syskey protects all of the system secrets.
    Think of it as a "grand master password". The sytem uses it to encrypt all
    sorts of things, but probably the most important is the representations of
    user's passwords that are stored on the system (note: I said
    "representation",
    not "password", and I know this is a bit simplistic as there are more
    details
    and various configurations). If the syskey is compromised, very bad things
    could happen. The good news is that it is fairly hard to compromise.

    The account password allows individual users to authenticate to the system,
    so that each user can be authorized for specific access to specific
    resources.

    Longer answer:
    Read Steve's article at
    http://www.microsoft.com/technet/community/columns/secmgmt/sm0205.mspx


    Hope that helps.

    - Byron Hynes
     
    cc, May 2, 2005
    #4
  5. Syskey is used to protect the local sam on a computer. It is enabled by
    default in Windows 2000 and above. It makes it very difficult for an
    "offline" attack on the sam file. Methods other than default such as
    password at boot up or floppy disk to access the operating system at start
    up can further secure the sam file. If an attacker has access to the whole
    computer however there are tools that can disable syskey and allow access to
    the sam or to reset passwords. An account password is what you use when you
    are prompted to enter your name and password. A bios password protects the
    computer from booting into ANY operating system until the password is
    entered. Again there are ways to discover cmos passwords. That however does
    not mean that these measures should not be implemented in some situations as
    extra barriers to entrance that may buy you time.

    None of the above will stop an attacker from accessing your data if they
    have physical access to your computer. They can simply remove the hard drive
    and place into another computer to access the data, boot from a cdrom that
    has another operating system on it [knoppix, Windows PE] or even install a
    parallel operating system. The only way to protect data is with encryption.
    Encryption has its own pitfalls and application being used to encrypt the
    data must be well understood or data may still be accessible to an attacker
    when you believe it is sage or you may end up being denied access to your
    own data if you do not take precautions like having backups of you
    certificate/private key. --- Steve
     
    Steven L Umbach, May 2, 2005
    #5
  6. See below.

    Because, in my case, I explicitly trust everyone who has physical access
    to my desktop. My desktop is not likely to be left in an airport lounge or
    a conference presentation credenza. In addition, my desktop is a member of
    a domain, so there is much less stored in it's local SAM (generally speaking,
    putting a machine in a domain makes things more secure). Lastly, my laptop
    is regularly connected to networks that might not have a firewall, or might
    have other hosts that I do not trust. My desktop is connected only to the
    LAN that I manage, and behind a firewall that I manage, with no untrusted
    hosts.

    In short, my laptop is more "out there", and in my opinion, more likely to
    be attacked or lost.

    I have not tested all of those options. Reinstalling the OS will give a new
    SAM, so that's not an issue. With a strong system startup password (mine
    is about 40 characters long), that copy of the OS will not start. It would
    be very hard (not impossible, but hard) to crack the syskey-protected information
    with those other tools.

    However, the DATA could still be gotten (see next).
    You're welcome.

    - Byron
     
    Byron Hynes [MVP], May 2, 2005
    #6
  7. See below.
    Yes, if the goal is to protect data from being stolen, use EFS.

    Syskey doesn't protect the "disk". Syskey is used by the OS to encrypt certain
    pieces of information, such as the information used to authenticate users.
    (So, yes, I use both Syskey and EFS on my laptop.)

    You don't need any special software to "access the disk". Remove the disk
    drive and plug it into another computer. Only EFS or RMS or 3rd-party products
    help with that risk.

    They do different things:
    - Syskey: Protects the OS and account information (by encrypting special
    values)
    - EFS: Protects data stored on the disk by encrypting data (usually user's
    files)
    - RMS: Encrypts files (documents) and email while allowing them to be distributed
    to authorized users.

    EFS's main purpose is to protect data that may be physically removed from
    the control of the owner or the owner's operating system.
    (Syskey would actually help protect the key that is used to unlock EFS, in
    a non-domain environment).

    It might help to think of Syskey as a password used to protect the system's
    copy of other passwords.
     
    Byron Hynes [MVP], May 2, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.