Q: What's the Windows System Key, and how can I configure it to get the most out of this security feature?

A: The System Key (aka Syskey) security feature adds an extra level of encryption for important Windows security data. Syskey secures this security data only when the OS isn't running. When the OS boots, the Syskey “system key” is loaded into memory so you can use it to unlock the security data. Syskey is enabled by default on any Windows Server 2003 R2, Windows 2000, and Windows XP system. Syskey protects the following important security data:

  • Local Security Authority (LSA) secrets stored in the LSA database
  • Master keys that are used to protect private keys
  • Protection keys for user account passwords stored in the SAM
  • Protection keys for user account passwords stored in Active Directory (AD).
  • The protection key for the administrator account password used for system recovery startup in safe mode.

Out of the box, the system key is stored in the system registry of the local system. This approach isn't ideal for systems that require a high level of security. Therefore, you might want to let Syskey prompt the user for a system key password at system startup. To set this up, type

    <p>
syskey   </p>
at a command prompt, choose update, and select the Password Startup option. The Syskey password length can be between 1 and 128 characters. I recommend you use a password length of at least nine characters.

Syskey also lets you store the startup key on a floppy disk (as Figure 1 shows). In that case, you must provide the floppy each time the system boots. Both the password startup and floppy disk options require the user or administrator to be physically present when the system boots (no pain, no gain!) Table 1 summarizes the various Syskey options, which are also referred to as Syskey levels.

The easiest way to find out whether a Windows NT machine has Syskey enabled is to type

  syskey   at the command prompt. This command brings up the Securing the Windows Account Database dialog box, which indicates whether Syskey encryption is enabled. Alternately, you can check for the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Secureboot. If the Secureboot value (of type REG_DWORD) exists and is set to a value of 0x1, 0x2, or 0x3, Syskey is enabled on the system.

Syskey Levels

 

Syskey Level 1

Syskey Level 2

Syskey Level 3

System key is

Random key generated by the Windows OS

Random key generated by the Windows OS

Derived from a password chosen by the administrator

System key storage

System registry of local system

Floppy disk

System key not stored anywhere

Requires physical administrator presence to boot system

No

Yes

Yes

Important notes

Default on Windows Server 2003, R2, Windows 2000, and Windows XP systems

Floppy disk must be stored in a secure place