Using the System Key

You can provide another level of protection for master keys and various other secrets through use of the system key. The system key protects the following sensitive information:

• Master keys that are used to protect private keys
• Protection keys for user account passwords stored in Active Directory
• Protection keys for passwords stored in the registry in the local Security Accounts Manager (SAM) registry key
• Protection keys for LSA secrets
• The protection key for the administrator account password that is used for system recovery startup in safe mode

For all computers in a domain, the secret key is enabled by default and all master keys and protection keys stored on a computer are encrypted with the unique 128-bit symmetric random system key. The system key must be in volatile memory on the operating system during system startup to unlock the password protection key. There are three ways to configure the system key for computers:

• Use a computer-generated random key as the system key and store it on the local system by using a complex obfuscation algorithm that scatters the system key throughout the registry. This option allows you to restart the computer without having to enter the system key. This is the default configuration for the system key.
• Use a computer-generated random key, but store it on a floppy disk. The system key is not stored anywhere on the local computer, and the floppy disk must be inserted for the system to start. It is inserted when prompted after Windows 2000 begins the startup sequence, but before it is available for users to log on to the system.
• Use a password chosen by the administrator to derive the system key. The password is not stored anywhere on the computer. Windows 2000 prompts the administrator for the password when the system is in the initial startup sequence, but before the system is available for users to log on.

The system key configuration options are available from the system key dialog boxes that appear when you run syskey. For computers in a domain, you must be a member of the Domain Admin group to run syskey. For stand-alone computers, you must be logged on as the local Administrator to run syskey. You can configure the system key differently for each computer in the domain.

System key protection is enabled by default in each domain, but you might want to change the default system key option for various computers in a domain. You also might need to enable system key protection for stand-alone computers.

To configure system key protection

1. Type syskey at the command prompt. This brings up the dialog box shown in Figure 15.15.

Enlarge figure

Figure 15.15 System Key Dialog Box

After system key protection is enabled, it cannot be disabled.

2. If it is not already selected, click Encryption Enabled, and then click OK. After a reminder that you should create an updated emergency repair disk, you are presented with options for the Account Database Key as shown in Figure 15.16. The default option is a system-generated password that is stored locally.

Enlarge figure

Figure 15.16 Account Database Key Dialog Box

3. Select the system key option that you want, and then click OK.
4. Restart the computer.

When the system restarts, you might be prompted to enter the system key, depending on the key option you chose. Windows 2000 detects the first use of the system key and generates a new random password encryption key. The password encryption key is protected with the system key, and then all account password information is strongly encrypted.

At subsequent startups:

1. Windows 2000 obtains the system key, either from the locally stored key, the password entry, or insertion of a floppy disk, depending on the option you chose.
2. Windows 2000 uses the system key to decrypt the master protection key.
3. Windows 2000 uses the master protection key to derive the per-user account password encryption key that is then used to decrypt the password information in Active Directory or the local SAM registry key.

The syskey command can be used again later to change the system key storage option or to change the password.

To change the system key option or password

1. Type syskey at a command prompt to bring up the initial system key dialog box, as shown in Figure 15.15.
2. Click Update.
3. In the Account Database Key dialog box (Figure 15.16), select a key option or change the password, and then click OK.
4. Restart the computer.

Changing the system key requires knowledge of, or possession of, the current system key. If the password-derived system key option is used, syskey does not enforce a minimum password length; however, passwords longer than 12 characters are recommended. The maximum length is 128 characters.

Warning

If the system key password is forgotten or the floppy disk that contains the system key is lost, it might not be possible to start the system. Protect and store the system key safely. If it is on a floppy disk, make backup copies and store them in a different location. The only way to recover the system if the system key is lost is by using a repair disk to restore the registry to a state prior to enabling system key protection. This means that you would lose any information or changes which have accrued since then.

System key options can be configured independently on all computers in a domain. When configured for the system key, each computer has a unique password encryption key and a unique system key. For example, the first domain controller might be configured to use a computer-generated system key stored on a disk, and secondary domain controllers might each use a different computer-generated system key stored on the local system. A computer-generated system key stored locally on a primary domain controller is not replicated.

Before enabling the system key when you have a single domain controller, you might want to ensure that a second, complete, updated domain controller is available as a backup system until changes to the first domain controller are complete and verified. Before you change the system key options on a computer, it is recommended that you make a fresh copy of the emergency repair disk for that computer. For more information about making an emergency repair disk, see Microsoft Windows 2000 Server Help or Microsoft Windows 2000 Professional Help.

© 1985-2000 Microsoft Corporation. All rights reserved.