The SAM and Active Directory

Posted by The Beyand | 10:08 AM | 0 comments »

Now that weve provided an overview of security principals and capabilities, lets
explore in more detail how objects such as accounts and passwords are managed in
Windows. On all Windows computers, the SAM contains user account name and
password information. The password information is kept in a scrambled format such
that it cannot be unscrambled using known techniques (although the scrambled value
can still be guessed, as you will see in Chapter 7). The scrambling procedure is called a
one-way function (OWF), or hashing algorithm, and it results in a hash value that cannot
be decrypted. We will refer to the password hashes a great deal in this book. The SAM
makes up one of the five Regi
stry hives and is implemented in the file %systemroot%\
system32\config\sam.
On Windows Server 2000 and later domain controllers, user account/hash data for
the domain is kept in the Active Directory (%systemroot%\ntds\ntds.dit, by default).
The hashes are kept in the same format, but they must be accessed via different means.
SYSKEY
Under NT, password hashes were stored directly in the SAM file. Starting with NT 4
Service Pack 3, Microsoft provided the ability to add another layer of encryption to the
SAM hashes, called SYSKEY. SYSKEY, short for SYStem KEY, essentially derived a
random 128-bit key and encrypted the hashes again (not the SAM file itself, just the
hashes). To enable SYSKEY on NT 4, you have to run the SYSKEY command, which
presents a window like the following:
Clicking the Update button in this window presents further SYSKEY options, namely
the ability to determine how or where the SYSKEY is stored. The SYSKEY can be stored
in one of three ways: Mode 1 Stored in the Registry and made available automatically at boot time
(this is the default) Mode 2 Stored in the Registry but locked with a password that must be
supplied at boot time Mode 3 Stored on a ? oppy disk that must be supplied at boot time
The following illustration shows how these modes are selected:
Modern Windows versions (up to and including Server 2008) still implement SYSKEY
Mode 1 by default, and thus passwords stored in either the SAM or Active Directory are
encrypted with SYSKEY as well as hashed. It does not have to be enabled manually, as
with NT 4 SP3 and later. In Chapters 7 and 11, we discuss the implications of SYSKEY
and mechanisms to circumvent it.

0 comments

Post a Comment

Subscribe to: Post Comments (Atom)