Use SysKey to protect the SAM database (Microsoft Windows XP/2003)

The Security Accounts Manager (SAM) database stores local user account information, including user passwords in hashed form. However, the system key that’s used to encrypt the database is stored on the local machine. This poses a security risk because a hacker might be able to access the encryption key and decrypt the database.

Microsoft provides a utility called SysKey that you can use to secure the system key by moving it to a different location or setting a password that will be required for Windows to decrypt the key and access the SAM database.

Here’s how to use SysKey on a Windows NT 4.0, 2000, XP, or Server 2003 computer:

1. Choose Start | Run, type cmd, and click OK to open a command line window.
2. At the command prompt, type syskey and press [Enter].
3. A dialog box appears with a warning that once you enable encryption, it can’t be disabled. Click the Update button.
4. The Startup Key dialog box appears. To set a password, select the Password Startup option button, and then type and confirm a password to be entered when the system starts up.
5. If you don’t want to require the entry of a startup password, click System Generated Password.
6. If you want to move the key off the local disk, click Store Startup Key On Floppy Disk. Insert a floppy disk, and then click OK.

If you choose to store the key on a floppy disk, make a backup (or two) of the disk. Note that when you implement Syskey security, you’ll have to enter the startup password or insert the floppy disk to start Windows, so it’s very important that you don’t forget the password or lose the disk.

Also, note that you won’t be able to start the computer remotely unless someone is present at the console to type the password or insert the floppy disk.