<Just make a recovery disk with the /r (I believe)
option would export a readable copy of the sam>
that's only valid when the machine is running (and thus the
SAM is decrypted) and you already have admin access to it. In the case of
"only" having physical access but no account, you'd not have this option and
thus you'd reboot the machine to startup another OS or do something similar to
get at the SAM - in this case it would be still be encrypted with the locally
stored key. Storing that key offline would add your extra protection with
all the hassles involved with mgmt of that offline key and handling the
boot-process.
For companies with very high security requirements that
still need to put DCs in "unsafe" locations for various reasons, storing the key
offline may be a valid option to further secure the DC (or any other server as a
matter of fact). If you have the right server-HW, you should be able to
create disk-images for each machine containing that key and if the server has
something linke an ILO board you can remotely mount that image during
boot-time. Still a lot of stuff to manage, but all possible
remotely.
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Wednesday, November 17, 2004 4:57 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Syskey and AD Even with SYSKEY
enabled on a NT DC the sam can still be cracked with l0phtcrack or the other
tools. Just make a recovery disk with the /r (I believe) option would
export a readable copy of the sam. We would have to do it for our security
folks to test password strength every so often. Honestly, I don't
believe it matters what version of the Windows OS you use. If you have
physical access to the system, you win. Dave
------------------------------------------------ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Geary, Simon
(Computer People) I would suggest the
Windows 2003 (and 2000 and XP) SAM is more secure than NT as it is encrypted
with a locally stored key by default. The Syskey process allows you to store
that key on a separate floppy disk, thus adding an extra layer of security. In
the NT SAM, the encryption is not on by default but can be added with Syskey as
an optional extra so I reckon this makes the 2003 SAM more secure.
If you have ever used
l0phtcrack on an NT SAM you may be scared at how quickly it can rip through all
your passwords (even if it does require an admin account to
run). I accept that one of
the golden rules of security is that if the bad guy has physical access to your
machine it's not your machine any more but a 128bit encryption key will take
some time to crack, giving some breathing space to take action. Especially as
the Syskey password needs at least 12 characters and should contain all sort of
numbers, letters, squiggles and hieroglyphics. The rainbow tables needed to
crack that would probably be many terabytes in
size. Having said all that, I
wouldn't bother using Syskey on my DCs or any other server due to the hassles
you mention. The best idea is just to keep them in a physically secure location
in the first place. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe I don't think I would
say that the SAM is more secure than it is with NT. The issue of being
hacked is still there and still fairly trivial. The syskey can maybe help
depending on the tools used to crack the server and whether it is an attempt to
brute force passwords (or Rainbow crack) or gain access to the box. I don't want
to get very deep into this but if someone has physical access to the machine,
they can own the machine if they so desire - period. Using a user generated
password or floppy (and not keeping the floppy with the machine) with SysKey is
safer but not tremendously so and again, only for someone trying to steal the
password database. Mostly it just adds considerable heartache to management
since you have to be in front of the machine (or using some low level IO
card to redirect console) to start it. Once the local SAM is cracked, it is
one reboot and one more tool away from the DIT being
cracked. Basically if my goal is
to steal your passwords in a quiet way, syskey will help a little as it
adds another 128 bit encryption piece in front of the hashes. If my goal is to
take over your server or domain or forest, syskey doesn't hamper
that.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Geary, Simon
(Computer People) It's still possible,
but whether or not it will still be necessary with Windows Server 2003 is
another question. The default security of the SAM is higher than with NT. This
page gives you the process. http://support.microsoft.com/kb/310105
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rosales,
Mario Is it still necessary to syskey DC's?
On NT 4.0 we always did that. Does the same apply for Windows
2003? ***************************************************************************
The contents of
this communication are intended only for the addressee and may contain
confidential and/or privileged material. If you are not the intended recipient,
please do not read, copy, use or disclose this communication and notify the
sender. Opinions, conclusions and other information in this communication that
do not relate to the official business of my company shall be understood as
neither given nor endorsed by it. ***************************************************************************
|
- RE: [ActiveDir] Syskey and AD Grillenmeier, Guido
- RE: [ActiveDir] Syskey and ... joe
- [ActiveDir] Forcing SYS... David Adner
- RE: [ActiveDir] Syskey and ... Perdue David J Contr InDyne/Enterprise IT
- RE: [ActiveDir] Syskey and ... Grillenmeier, Guido