|
Even with SYSKEY enabled on a NT DC the
sam can still be cracked with l0phtcrack or the other tools. Just make a
recovery disk with the /r (I believe) option would export a readable copy of
the sam. We would have to do it for our security folks to test password
strength every so often. Honestly, I don't believe it
matters what version of the Windows OS you use. If you have physical
access to the system, you win. Dave ------------------------------------------------ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People) I would suggest the
Windows 2003 (and 2000 and XP) SAM is more secure than NT as it is encrypted
with a locally stored key by default. The Syskey process allows you to store
that key on a separate floppy disk, thus adding an extra layer of security. In
the NT SAM, the encryption is not on by default but can be added with Syskey as
an optional extra so I reckon this makes the 2003 SAM more secure. If you have ever used
l0phtcrack on an NT SAM you may be scared at how quickly it can rip through all
your passwords (even if it does require an admin account to run). I accept that one of the
golden rules of security is that if the bad guy has physical access to your
machine it's not your machine any more but a 128bit encryption key will take
some time to crack, giving some breathing space to take action. Especially as
the Syskey password needs at least 12 characters and should contain all sort of
numbers, letters, squiggles and hieroglyphics. The rainbow tables needed to
crack that would probably be many terabytes in size. Having said all that, I
wouldn't bother using Syskey on my DCs or any other server due to the hassles
you mention. The best idea is just to keep them in a physically secure location
in the first place. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe I don't think
I would say that the SAM is more secure than it is with NT. The issue of
being hacked is still there and still fairly trivial. The syskey can maybe
help depending on the tools used to crack the server and whether it is an
attempt to brute force passwords (or Rainbow crack) or gain access to the box.
I don't want to get very deep into this but if someone has physical access to
the machine, they can own the machine if they so desire - period. Using a
user generated password or floppy (and not keeping the floppy with the machine)
with SysKey is safer but not tremendously so and again, only for someone trying
to steal the password database. Mostly it just adds considerable heartache
to management since you have to be in front of the machine (or using
some low level IO card to redirect console) to start it. Once the
local SAM is cracked, it is one reboot and one more tool away from the DIT
being cracked. Basically if
my goal is to steal your passwords in a quiet way, syskey will help a
little as it adds another 128 bit encryption piece in front of the hashes. If
my goal is to take over your server or domain or forest, syskey
doesn't hamper that. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People) It's still
possible, but whether or not it will still be necessary with Windows Server
2003 is another question. The default security of the SAM is higher than with
NT. This page gives you the process. http://support.microsoft.com/kb/310105
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Is it still necessary to syskey DC's? On NT 4.0
we always did that. Does the same apply for Windows 2003? ***************************************************************************
The contents of
this communication are intended only for the addressee and may contain
confidential and/or privileged material. If you are not the intended recipient,
please do not read, copy, use or disclose this communication and notify the
sender. Opinions, conclusions and other information in this communication that
do not relate to the official business of my company shall be understood as
neither given nor endorsed by it. ***************************************************************************
|
RE: [ActiveDir] Syskey and AD
Perdue David J Contr InDyne/Enterprise IT Wed, 17 Nov 2004 07:58:50 -0800
- RE: [ActiveDir] Syskey and AD Perdue David J Contr InDyne/Enterprise IT
- RE: [ActiveDir] Syskey and ... Grillenmeier, Guido
- RE: [ActiveDir] Syskey ... joe
- [ActiveDir] Forcing... David Adner
- RE: [ActiveDir] Syskey and ... Perdue David J Contr InDyne/Enterprise IT
- RE: [ActiveDir] Syskey and ... Grillenmeier, Guido
