According to Microsoft"s bulletin, "a Protected Store is provided as part of CryptoAPI, in order to provide secure storage for sensitive information such as private keys and certificates. By design, the Protected Store should always encrypt the information using the strongest cryptography available on the machine. However, the Windows 2000 implementation uses 40-bit key to encrypt the Protected Store, even if stronger cryptography is installed on the machine. This vulnerability weakens the protection on the Protected Store."
Microsoft had issued a patch for the problem but then removed the patch for unknown reasons. See Q260219 for more details.