Safeguarding the Security Accounts Manager
The Security Accounts Manager stores account password information in the registry. Although this information is encrypted using a 128-bit encryption key, it presents a tempting target to attackers, as you might imagine. In Windows NT 4, in fact, a number of well-publicized vulnerabilities made it possible for attackers to break into the SAM and extract the encrypted password values (called hashed values), after which they could work on the stored data with password-cracking utilities. Microsoft's response was to tighten security with a utility called Syskey, introduced in Windows NT 4 Service Pack 3. Syskey, which is enabled by default in Windows XP and Windows 2000 (it was optional in Windows NT 4), protects account information stored in the SAM by using multiple levels of encryption. (That is, the password information is encrypted by a per-user-account password encryption key, which is encrypted by a master protection key, which is encrypted by the startup key. Did you follow all that?)

By default, the startup key is a machine-generated random key stored on the local computer. This ordinarily provides excellent protection for the password information in the registry. On a computer whose SAM has been protected with Syskey, it is nearly impossible for unauthorized users to extract the hashed passwords, even if they have physical access to the computer. On computers that require extra-high levels of protection, it's possible to ratchet this already high level of security another notch, by removing the Syskey code from the computer and copying it to a floppy disk. For details on the pros and cons of this technique, as well as step-by-step instructions, see Adding Another Layer of Protection with Syskey.

Libellés : Accounts, Manager, Safeguarding, Security