Syskey is a utility that strengthens security on the user account database on a Windows system. It is built into the Windows operating system and encrypts the Security Accounts Management (SAM) database.
Syskey has three modes of operation:
- Syskey Mode 1 is implemented by default on every Windows operating system since Windows 2000. Mode 1 encrypts the SAM database and stores the decryption key securely on the local system. This key is accessed automatically at system startup.
- Syskey Mode 2 stores the key locally, but requires that a system key password be typed in during the system bootup process to access the SAM database decryption key just prior to starting any services. Without the proper system key password, system services fail to start, thus crippling the system.
- Syskey Mode 3 stores the key locally, but requires that a system key password be supplied via removable media, like a floppy disk or a USB drive, during the system bootup process to access the SAM database decryption key. Without the removable media containing the system key password, system services fail to start, thus crippling the system.
Scenario
You are responsible for strengthening the security of several of your critical systems. You must configure one of your critical systems with a startup password to be entered by a system administrator. Unfortunately, the BIOS on this system does not provide for this capability, so you must implement Syskey Mode 2.
Scope of Task
Duration
This task should take 30 minutes.
Setup
You are the administrator of an XP Professional system and wish to strengthen its security.
Caveat
Syskey is a powerful tool that can and will lock you out of your own system!
Do not select to export the key unless you have one of the following:
- A USB port and a USB drive
- A functioning A: drive with a usable, formatted, blank floppy disk
Once you initiate the export process, the system changes the decryption key and then must complete the export process of the new system key password. There is no cancel feature! If the system changes the decryption key and does not export the new system key password to removable media, it may not be possible to log on to the computer.
Follow the steps in this procedure carefully.
Procedure
For this task, you will log on to the XP Professional system as the Local Administrator. You will launch Syskey and implement Mode 2.
Equipment Used
For this task, you must have:
- Windows XP Pro system with the following configuration:
- A member of a workgroup (not a member of a domain)
- Local Administrator access
Details
Implementing Syskey Mode 2
1. Log on to the Windows XP Pro system as the Local Administrator.
2. Select Start ⇒ Run and type in Syskey. Click OK. Doing so opens the Securing The Windows XP Account Database dialog box.
3. Notice that you cannot disable encryption; the option is dimmed in the Securing The Windows XP Account Database dialog box. Click Update.
4. By default, Windows 2000, XP, Server 2003, Windows Vista, Windows 7, Server 2008, and Server 2008 R2 are configured to store the startup key locally. Select Password Setup and enter Password1 in both the Password and Confirm fields.
5. Click OK. You will be presented with a success message. Click OK to clear the message.
Testing Syskey Mode 2
1. From the Start menu, select Shut Down.
2. In the Shut Down Windows dialog box, select Restart from the drop-down list.
3. As the system restarts, before any system services are started you will be presented with a Windows XP Startup Password dialog box. Enter the password Password1 and click OK.
4. Startup will complete and you will be presented with the standard MS GINA dialog box.
MS GINA is the Microsoft Graphical Identification And Authentication dialog box.
5. Log on normally as the Administrator.
Resetting Syskey to Mode 1
1. Select Start ⇒ Run and type Syskey. Click OK.
2. Click Update in the Securing The Windows XP Account Database dialog box.
3. Under System Generated Password in the Startup Key dialog box, select Store Startup Key Locally.
You could also change the startup password, remaining in Syskey Mode 2, by entering and confirming a new password here.
4. You will be prompted for the startup password. Enter Password1, and then click OK.
5. You will receive a success message indicating that the startup key was changed. Click OK to clear the message.
Criteria for Completion
You have completed this task when you have configured the system to operate in Syskey Mode 2 and then tested this with a reboot that requires you to enter the new startup password. You must then reset the system into Syskey Mode 1, Syskey’s default mode of operation.