O'Reilly logo

Securing Windows NT/2000 Servers for the Internet by Stefan Norberg

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Advanced Configuration

The steps performed so far have used the standard administrative tools in Windows NT. Now it’s time to work on some more advanced tasks to further enhance the security of your system. These tasks include:

  • Encrypting the password database

  • Editing the registry

  • Disabling unnecessary files

Protecting the System Accounts Database

If an attacker gets hold of a system backup or an emergency repair disk, he could use a tool such as L0phtCrack to run a dictionary attack or a brute force attack on the Systems Account Manager (SAM) database. However, if the password hashes in the database are encrypted, these attacks will be unsuccessful.

In NT 4.0 Service Pack 3, Microsoft introduced a facility for encrypting the password hashes stored in the SAM database. This facility protects the database from offline password cracking attempts. To implement this encryption feature, run the following command:

C:\> syskey

Running syskey brings up the dialog box shown in Figure 2.5. Note that enabling password encryption is a one-way operation—once it is enabled, it cannot be disabled.

The syskey command encryption dialog box

Figure 2-5. The syskey command encryption dialog box

When you enable encryption, the system creates a random 128-bit encryption key. This is used to encrypt the password hash entries in the SAM database in the registry (HKLM\SAM). The encryption key is protected with another key, called the system key ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required