System key enables stronger encryption of account passwords stored in the
registry in the SAM (Security Account Manager) database. With System key
installed the passwords have enhanced encryption in the SAM. Note this is only
the passwords and not for example the user name.
When System Key encryption has been enabled backups of the SAM database will
also be encrypted: For example on back up tapes, RDISK and %systemroot%\repair.
Which are often used to crack passwords.
System Key is used to make the decrypting or cracking of your passwords from the
SAM more difficult and time consuming. Crackers such as L0pht crack , John the
Ripper, Crack 5 with NT Extensions are used often to break NT password hashes.
These use dictionary and brute force types of techniques. L0pht Crack is now
using a form of intelligent brute forcing, which is the next generation of
crackers.
- System Key prevents SAM dumping with the tool built into L0pht Crack 2.5.
- System Key prevents SAM dumping with the tool pwdump.
- System Key does not stop SAM dumping with the tool pwdump2 which uses DLL
injection techniques different to pwdump.
- System Key does not prevent password cracking or decryption.
- System Key reuses the keystream used to perform some of the encryption.
This significantly reduces the strength of the protection it provides by
enabling a well-known cryptanalytic attack to be used against it. Todd Sabin
from Bindview (www.bindview.com) and the author of pwdump2 discovered this
exploit in December-1999.
- System Key still increases the time and complexity to crack password
hashes.
Note; Pwdump and pwdump2 require administrator access to be used.
System Key affects the following system components:
%systemroot%\system32\config\sam HKEY_LOCAL_MACHINE\SAM
%systemroot%\system32\config\security HKEY_LOCAL_MACHINE\Security
and three system security component files: Winlogon.exe, Samsrv.dll, Samlib.dll
Also see Q. How do I use the System Key functionality of Service Pack 3? for
installing System Key
|
|
|
|
|
|
|
|