[4398] in bugtraq
Windows NT 4.0 SAM hotfix
daemon@ATHENA.MIT.EDU (Aleph One)
Sat May 3 12:50:40 1997
Date: Fri, 2 May 1997 22:09:36 -0500
Reply-To: Aleph One <aleph1@dfw.net>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
-----------------------------------------------------------------------=
---
The information in this article applies to:
- Microsoft Windows NT Workstation, version 4.0
- Microsoft Windows NT Server, version 4.0
-----------------------------------------------------------------------=
---
SUMMARY
=3D=3D=3D=3D=3D=3D=3D
The Windows NT Server 4.0 System Key hotfix provides the capability to =
use
strong encryption techniques to increase protection of account password
information stored in the registry by the Security Account Manager (SAM=
).
Windows NT Server stores user account information, including a derivati=
ve
of the user account password, in a secure portion of the Registry prote=
cted
by access control and an obfuscation function. The account information =
in
the Registry is only accessible to members of the Administrators group.
Windows NT Server, like other operating systems, allows privileged user=
s
who are administrators access to all resources in the system. For
installations that want enhanced security, strong encryption of account
password derivative information provides an additional level of securit=
y to
prevent Administrators from intentionally or unintentionally accessing
password derivatives using Registry programming interfaces.
STATUS
=3D=3D=3D=3D=3D=3D
Microsoft has confirmed this to be a problem in Windows NT Server versi=
on
4.0.
A supported fix is now available, but has not been fully regression-tes=
ted
and should be applied only to systems experiencing this specific proble=
m.
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this f=
ix.
Contact Microsoft Technical Support for more information.
You can obtain this Application Note from the following sources:
- Microsoft's World Wide Web Site on the Internet at:
http://www.microsoft.com/ntserversupport/
- The Internet (Microsoft anonymous ftp server) at:
ftp://ftp.microsoft.com/bussys/winnt-public/fixes/usa/nt4
/hotfixes-postSP2/sec-fix/
- Microsoft Technical Support
MORE INFORMATION
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The strong encryption capability with the Windows NT 4.0 System Key hot=
fix
is an optional feature. Administrators may choose to implement strong
encryption by defining a System Key for Windows NT. Strong encryption
protects private account information by encrypting the password data us=
ing
a 128-bit cryptographically random key, known as a password encryption =
key.
Only the private password information is strongly encrypted in the
database, not the entire account database. Every system using the stron=
g
encryption option will have a unique password encryption key. The passw=
ord
encryption key is itself encrypted with a System Key. Strong password
encryption may be used on both Windows NT Server and Workstation where
account information is stored. Using strong encryption of account passw=
ords
adds additional protection for the contents of the SAM portion of the
registry and subsequent backup copies of the registry information in th=
e
%systemroot%\repair directory created using the RDISK command and on sy=
stem
backup tapes.
The System Key is defined using the command SYSKEY.EXE. Only members of=
the
Administrators group can run the SYSKEY.EXE command. The utility is use=
d to
initialize or change the System Key. The System Key is the "master key"
used to protect the password encryption key and therefore protection of=
the
System Key is a critical system security operation.
There are three options for managing the System Key designed to meet th=
e
needs of different Windows NT environments. The System Key options are =
the
following:
- Use a machine generated random key as the System Key and store the k=
ey
on the local system using a complex obfuscation algorithm. This opti=
on
provides strong encryption of password information in the registry a=
nd
allows for unattended system restart.
- Use a machine generated random key and store the key on a floppy dis=
k.
The floppy disk with the System Key is required for the system to st=
art
and must be inserted when prompted after Windows NT begins the start=
up
sequence, but before the system is available for users to logon. The
System Key is not stored anywhere on the local system.
- Use a password chosen by the Administrator to derive the System Key.
Windows NT will prompt for the System Key password when the system i=
s in
the initial startup sequence, but before the system is available for
users to logon. The System Key password is not stored anywhere on th=
e
system. An MD5 digest of the password is used as the master key to
protect the password encryption key.
The System Key options using either a password or requiring a floppy di=
sk
introduce a new prompt during the initialization of the Windows NT
operating system. They offer the strongest protection option available
because master key material is not stored on the system and control of =
the
key can be restricted to a few individuals. On the other hand, knowledg=
e of
the System Key password, or possession of the System Key diskette is
required to boot the system. (If the System Key is saved to a floppy di=
sk,
backup copies of the System Key diskette are recommended.) Unattended
system restart may require that System Key material be available to the
system without Administrator response. Storing the System Key on the lo=
cal
system using a complex obfuscation algorithm makes the key available on=
ly
to core operating system security components. In the future, it will be
possible to configure the System Key to obtain the key material from ta=
mper
proof hardware components for maximum security.
WARNING: If the System Key password is forgotten or the System Key flop=
py
disk lost it may not be possible to start the system. Protect and store=
the
System Key information safely with backup copies in the event of emerge=
ncy.
The only way to recover the system if the System Key is lost is using a
repair disk to restore the registry to a state prior to enabling strong
encryption. See the Repair Issues section below.
Strong encryption may be configured independently on the Primary and ea=
ch
Backup Domain Controllers (DCs). Each domain controller will have a uni=
que
password encryption key and a unique System Key. For example, the Prima=
ry
DC may be configured to use a machine generated System Key stored on a
diskette, and Backup DCs may each use a different machine generated Sys=
tem
Key stored on the local system. A machine generated System Key stored
locally on a Primary domain controller is not replicated.
Before enabling strong encryption for Primary domain controllers, you m=
ay
want to ensure a complete updated Backup domain controller is available=
to
use as a backup system until changes to the Primary domain are complete=
and
verified. Before enabling strong encryption on any system, Microsoft
recommends making a fresh copy of the Emergency Repair Disk, including =
the
security information in the registry, using the command, RDISK /S.
The SYSKEY command is used to select the System Key option and generate=
the
initial key value. The key value may be either a machine generated key =
or a
password derived key. The SYSKEY command first displays a dialog showin=
g
whether strong encryption is enabled or disabled. After the strong
encryption capability is enabled, it cannot be disabled. To enable stro=
ng
authentication of the account database, select the option "Encryption
Enabled", and click OK. A confirm dialog appears reminding the
administrator to make an updated emergency repair disk. A new dialog
appears presenting options for the Account Database Key. Use the option=
s
available on Account Database Key dialog to select the System Key.
After selecting the System Key option, Windows NT must be restarted for=
the
System Key option to take effect. When the system restarts, the
administrator may be prompted to enter the System Key, depending on the=
key
option chosen. Windows NT detects the first use of the System Key and w=
ill
generate a new random password encryption key. The password encryption =
key
is protected with the System Key, and then all account password informa=
tion
is strongly encrypted.
The SYSKEY command needs to be run on each system where strong encrypti=
on
of the account password information is required. SYSKEY supports a "-l"
command option to generate the master key and store the key locally on =
the
system. This option enables strong password encryption in the registry =
and
allows the command to run without an interactive dialog. The SYSKEY com=
mand
can be used at a later time to change the System Key options from one
method to another, or to change the System Key to a new key. Changing t=
he
System Key requires knowledge of, or possession of, the current System =
Key.
If the password derived System Key option is used, SYSKEY does not enfo=
rce
a minimum password length, however long passwords (greater than 12
characters) are recommended. The maximum System Key password length is =
128
characters.
REPAIR ISSUES
-------------
Introduction of strong encryption of account password information chang=
es
the SYSTEM and SAM portions of the registry in ways that effect the rep=
air
options available for recovery of a Windows NT system. Always use the R=
DISK
command with the /S option to create a new Emergency Repair Disk includ=
ing
a backup copy of the SYSTEM and SAM portion of registry in the \repair
directory.
For complete recovery options, the following Emergency Repair Disks sho=
uld
be available:
- Prior to installing the System Key hotfix, create a fresh repair dis=
k.
This disk is a "pre-hotfix" repair disk that contains a copy of the
system configuration and account information prior to installation o=
f
the hotfix. The "pre-hotfix" repair disk may be used to recover the
registry and system files using the Windows NT distribution CDROM.
- After installation of the System Key hotfix, but before enabling str=
ong
encryption using the SYSKEY command, create a repair disk. This repa=
ir
disk is "hotfix =96 Before Encryption". This repair disk can be used=
to
repair the Registry to the state before strong encryption is enabled=
,
for example it may be used to recover a system if the Windows NT Sys=
tem
Key is lost or forgotten.
- After running SYSKEY to enable strong encryption, create a repair di=
sk.
This repair disk is "hotfix =96 After Encryption". This repair disk,=
and
subsequent updates to this repair disk, can be used recover the regi=
stry
with strong encryption intact using the System Key in effect at the =
time
the repair disk was last updated.
The System Key hotfix support for strong encryption affects the followi=
ng
system components:
- SYSTEM and SAM registry hives
- Three system security component files: Winlogon.exe, Samsrv.dll,
Samlib.dll
In general, the repair process needs to use matching versions of these
components. Whatever repair option you choose, the repair process will
coordinate repair of the registry hives with the matching system files.
The following table lists the recovery options available.
Desired System Repair disk to Repaired System
Configuration apply
after Repair
-----------------------------------------------------------------------=
----
Windows NT 4.0, Use the "Pre-hotfix" Registry matches system bef=
ore
prior to hotfix repair disk hotfix installed; the three
installation system security component f=
iles
need to be repaired from th=
e
Windows NT 4.0 compact disc=
to
match the pre-hotfix regist=
ry
format.
Windows NT 4.0 with Use the "hotfix =96 Registry matches the syst=
em
hotfix installed, Before Encryption" before strong encryption.
but strong repair disk System Key is not in effect=
;
encryption is not strong encryption not enabl=
ed.
enabled System security files do no=
t
need to be repaired from th=
e
Windows NT 4.0 compact disc=
.
Windows NT 4.0 with Use the "hotfix =96 Registry matches the syst=
em
hotfix installed, After Encryption" with strong encryption enab=
led;
and strong repair disk the System Key in effect is=
the
encryption is System Key used at the time=
the
enabled repair disk was made.
In the event that an Administrator needs to repair the system after the
System Key hotfix is installed, both the SYSTEM and SAM portions of the
registry need to be repaired at the same time. The System Key option in=
the
SYSTEM portion of the registry must match the strong encryption key use=
d
for the SAM portion of the registry. If one registry hive is repaired
without the other, it may be possible for the system to try to use a
different System Key option (password derived or machine generated) tha=
t
does not match the strong encryption key used for the account password
information.
Installation of the System Key hotfix will update the checksums for the
system security component (winlogon.exe, samsrv.dll, samlib.dll) in the
system.log file. The System.log file is saved on the Emergency Repair D=
isk.
The System.log file is used during recovery to determine if the files n=
eed
to be updated from the Windows NT Server 4.0 compact disc to match the =
pre-
hotfix registry configuration. If the desired recovery system configura=
tion
is Windows NT Server 4.0 with the System Key hotfix, you will not be as=
ked
to repair these system security files.
After installing the System Key hotfix, and you have not enabled strong
encryption, if you attempt to repair the system files using a repair di=
sk
created before installing the System Key hotfix (that is, using the
"pre-hotfix" repair disk) you also MUST repair the SYSTEM and SAM regis=
try.
If you do not repair the registry, the system files and registry format
will not match. You will get an error (error number C00000DF) when you
attempt to log on. When the registry and system files are mismatched, t=
he
recovery procedure is to repair matching system and registry files. Eit=
her
repair the registry hives from the same "pre-hotfix" repair disk, or us=
e
the "hotfix =96 Before Encryption" repair disk, which has a registry fo=
rmat
that matches the System Key hotfix system files.
Finally, if you have a situation where the system security files (Winlo=
gon,
Samsrv.dll, Samlib.dll) are corrupted, then you must recover the system
using a "Pre-hotfix" repair disk and repair the corrupted files from a
Windows NT Server 4.0 compact disc. You must also repair the SYSTEM and=
SAM
registry hives to match the system files from the "Pre-hotfix" repair d=
isk.
