System key enables stronger encryption of account passwords stored in the registry in the SAM (Security Account Manager) database. With System key installed the passwords have enhanced encryption in the SAM. Note this is
only the passwords and not for example the user name.
When System Key encryption has been enabled backups of the SAM database will also be encrypted: For example on back up tapes, RDISK and %systemroot%\repair. Which are often used to crack passwords.
System Key is used to make the decrypting or cracking of your passwords from the SAM more difficult and time consuming. Crackers such as L0pht crack ,
John the Ripper, Crack 5 with NT Extensions are used often to break NT password hashes. These use dictionary and brute force types of techniques.
L0pht Crack is now using a form of intelligent brute forcing, which is the next generation of crackers.
- System Key prevents SAM dumping with the tool built into L0pht Crack 2.5.
- System Key prevents SAM dumping with the tool pwdump.
- System Key does not stop SAM dumping with the tool pwdump2 which uses DLL injection techniques different to pwdump.
- System Key does not prevent password cracking or decryption.
- System Key reuses the keystream used to perform some of the encryption.
This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it. Todd
Sabin from Bindview (www.bindview.com) and the author of pwdump2 discovered this exploit in December-1999.
- System Key still increases the time and complexity to crack password hashes.
Note; Pwdump and pwdump2 require administrator access to be used.
System Key affects the following system components:
and three system security component files: Winlogon.exe, Samsrv.dll, Samlib.dll
Also see Q. How do I use the System Key functionality of Service Pack 3? for installing System Key.
For more information on System Key see Q143475 at http://support.microsoft.com/support/kb/articles/q143/4/75.asp
For information on the "System Key Keystream Reuse" Vulnerability and patch see http://www.microsoft.com/security/bulletins/ms99-056.asp
Contributed by Nathan House