Hi friends, EFS protects files on the hard disk against attack, but the storage location of the private keys for the EFS-protected
files presents unique challenges for the system administrator.EFS files
are encrypted with a FEK that is itself encrypted with the user's
public key. The user must possess the corresponding private key to
decrypt that data. During normal operation, that private key must
obviously be stored somewhere on the hard drive? if it were stored only
in protected volatile memory, EFS files would not be accessible once a
computer was restarted.
The
location of a user's private keys is not a big secret, although it is
obfuscated to keep casual attackers away. The keys are stored in a
protected key store database. These keys are all protected by a single
key called a master key. Other keys used by the system for various cryptographic operations, called protection keys, are also stored in a similar fashion.
Because
an attacker who is able to obtain the master key for that account can
decrypt the stored private keys, it must be protected. To counter this
type of attack, Microsoft provides a utility called Syskey.
How Syskey Works
Syskey utility simply encrypts the private key store and the SAM using a 128-bit symmetric key called the system key, or syskey.
The syskey must be read into system memory during boot to decrypt the
SAM and private key store to allow the operating system to start.
Without this information, the operating system itself cannot start and
will fail. This is a minor benefit, as failure to boot may thwart
lightweight attackers. Syskey also prevents offline attackers from
copying the SAM and using brute force attacks against stored passwords.
Configure Windows System Key Protection
To Configure Windows System Key Protection, follow these steps:
- At a command prompt, type syskey, and then press ENTER.
- In the Securing the Windows Account Database dialog box, note that the Encryption Enabled option is selected and is the only option available. When this option is selected, Windows will always encrypt the SAM database.
- Click Update.
- Click Password Startup if
you want to require a password to start Windows. Use a complex password
that contains a combination of upper case and lower case letters,
numbers, and symbols. The startup password must be at least 12
characters long and can be up to 128 characters long.
Note If you must remotely restart a computer that requires a password (if you use the Password Startup option), a person must be at the local console during the restart. Use this option only if a trusted security administrator will be available to type the Startup password. - Click System Generated Password if you do not want to require a startup password.
Select either of the following options:- Click Store Startup Key on Floppy Disk to store the system startup password on a floppy disk. This requires that someone insert the floppy disk to start the operating system.
- Click Store Startup Key Locally to store the encryption key on the hard disk of the local computer. This is the default option.
Remove the SAM encryption key from the local hard disk by using the Store Startup Key on Floppy Disk option for optimum security. This provides the highest level of protection for the SAM database.
Always create a back-up floppy disk if you use the Store Startup Key on Floppy Disk option. You can restart the system remotely if someone is available to insert the floppy disk into the computer when it restarts.
No comments:
Post a Comment