Getting the Most from Windows System Key

Q: What's the Windows System Key, and how can I configure it to get the most out of this security feature?

A: The System Key (aka Syskey) security feature adds an extra level of encryption for important Windows security data. Syskey secures this security data only when the OS isn't running. When the OS boots, the Syskey “system key” is loaded into memory so you can use it to unlock the security data. Syskey is enabled by default on any Windows Server 2003 R2, Windows 2000, and Windows XP system. Syskey protects the following important security data:

Out of the box, the system key is stored in the system registry of the local system. This approach isn't ideal for systems that require a high level of security. Therefore, you might want to let Syskey prompt the user for a system key password at system startup. To set this up, type

    
syskey   

at a command prompt, choose update, and select the Password Startup option. The Syskey password length can be between 1 and 128 characters. I recommend you use a password length of at least nine characters.

Syskey also lets you store the startup key on a floppy disk (as Figure 1 shows). In that case, you must provide the floppy each time the system boots. Both the password startup and floppy disk options require the user or administrator to be physically present when the system boots (no pain, no gain!) Table 1 summarizes the various Syskey options, which are also referred to as Syskey levels.

The easiest way to find out whether a Windows NT machine has Syskey enabled is to type

  syskey  

at the command prompt. This command brings up the Securing the Windows Account Database dialog box, which indicates whether Syskey encryption is enabled. Alternately, you can check for the registry value HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaSecureboot. If the Secureboot value (of type REG_DWORD) exists and is set to a value of 0x1, 0x2, or 0x3, Syskey is enabled on the system.

Syskey Levels