Windows NT 4.0 Service Pack 3 (SP3) contains a new feature that introduces the ability to increase security on the SAM database. Called System Key (SYSKEY), the new feature was initially released as a post-SP2 hotfix. According to article Q143475, "The Windows NT Server 4.0 System Key ... provides the capability to use strong encryption techniques to increase protection of account password information stored in the registry by the Security Account Manager (SAM)."

SYSKEYs are used upon system startup to decrypt the SAM database, and are used in one of three ways:

- The system generates a secure key, which is stored on the local hard disk for unattended system startup.
- The system generates a secure key, which is stored on a floppy disk that must be inserted during system startup.
- An administrator-specified password, which must be entered on system startup, is used to encrypt the SAM database.

To learn more about SYSKEY, including some caveats, be sure to visit our Windows 2000 FAQ Site.

http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14762
http://support.microsoft.com/support/kb/articles/q143/4/75.asp