I don't think I would say that the SAM is more secure than
it is with NT.
The issue of being hacked is still there and still
fairly trivial. The syskey can maybe help depending on the tools used to crack
the server and whether it is an attempt to brute force passwords (or Rainbow
crack) or gain access to the box. I don't want to get very deep into this but if
someone has physical access to the machine, they can own the machine if they so
desire - period. Using a user generated password or floppy (and not keeping
the floppy with the machine) with SysKey is safer but not tremendously so and
again, only for someone trying to steal the password database. Mostly it
just adds considerable heartache to management since you have to be in
front of the machine (or using some low level IO card to redirect
console) to start it. Once the local SAM is cracked, it is one reboot and
one more tool away from the DIT being cracked.
Basically if my goal is to steal your passwords in a quiet
way, syskey will help a little as it adds another 128 bit encryption piece
in front of the hashes. If my goal is to take over your server or domain or
forest, syskey doesn't hamper that.
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People) Sent: Tuesday, November 16, 2004 4:57 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Syskey and AD It's still possible,
but whether or not it will still be necessary with Windows Server 2003 is
another question. The default security of the SAM is higher than with NT. This
page gives you the process. http://support.microsoft.com/kb/310105
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Is it still necessary to syskey
DC's? On NT 4.0 we always did that. Does the same apply for Windows
2003? *************************************************************************** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *************************************************************************** |
- RE: [ActiveDir] Syskey and AD joe
- RE: [ActiveDir] Syskey and ... Geary, Simon (Computer People)
- RE: [ActiveDir] Syskey and ... Perdue David J Contr InDyne/Enterprise IT
- RE: [ActiveDir] Syskey and ... Grillenmeier, Guido
- RE: [ActiveDir] Syskey ... joe
- [ActiveDir] Forcing... David Adner
- RE: [ActiveDir] Syskey and ... Perdue David J Contr InDyne/Enterprise IT
- RE: [ActiveDir] Syskey and ... Grillenmeier, Guido