Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability

The default configuration of SYSKEY allows any local user to decrypt data encrypted with the Encrypted File System (EFS).

A known vulnerability exists in Windows 2000 where the SAM database can be deleted if the system is booted with a different operating system. Upon reboot, a new SAM database is created with the Administrator account having a blank password. A malicious user can now login as Administrator and decrypt data if the recovery key resides on the system.

The default mode SYSKEY operates in is to 'Store Startup Key Locally'. Under this mode, Windows 2000 will generate a random 128-bit system key and store it in the registry under HKLM/SYSTEM. Running SYSKEY in this mode will leave the system vulnerable to the exploit mentioned above.

In addition, a tool called 'ntpasswd' is available which can reset the password of any local user account, including the administrator account, by modifying password hashes in the SAM database. A local user can use this tool to login as Administrator (who is the default data recovery agent in the EFS) and from there, decrypt data using the EFS.

Domain-based accounts are not affected by this vulnerability.


Privacy Statement
Copyright 2010, SecurityFocus