How to use Syskey to make it more difficult to break into your laptop(s) via offline password guessing

Windows XP (and Server 2003) rely upon a series of "Master Keys" to protect both user specific secrets (including EFS and S/MIME key) and computer secrets (such as IPsec keys and SSL keys). The Master Keys are themselves encrypted with a "computer startup key" - this is a symmetric key.

For those of you who may be unfamiliar with symmetric key cryptography (such as DES & AES) it's worth pointing out that the same key is used to both encrypt and decrypt the secret information. This is the converse of asymmetric key cryptography (such as RSA) which uses a pair of keys, one of which is used to encrypt, the other is used to decrypt.

When the operating system starts up the system will automatically decrypt the computer start up key to provide access to the Master keys and unlock the Security Account Manager(SAM) database (for local accounts) and Local Security Authority (LSA) secrets.

Syskey is a utility that's part of Windows that can be used to change the storage location of the computer's startup key. By default the startup key is located within the machine's registry - it's actually broken up and scattered throughout many locations in the registry using an algorithm that uses different locations on each machine - this makes it very difficult for a malicious user to recover should they gain physical access to your machine.  

Syskey provides the means to store the computer startup key on either removable media (such as a floppy disk - remember those?) - bear in mind that the media must be available to the machine at boot time so using this method on a server that doesn't have the luxury of 24*7 onsite operator support may not be a good idea. Nor of course is it a good idea to leave the media in the system

Syskey also enables you to configure the machine to prompt for the computer startup key at boot time (this can be up to 128 characters long) - this is a great option for laptops as it simply takes the form of a password(phrase) that you enter before logging into Windows. The beauty of this approach is that the key nor any form of the key (such as a hash) are actually present on the machine so there's nothing to crack unless you count brute forcing the encryption of the Master Keys which would take significant computational effort - read (a very long time!) = longer than the data's likely to be of value

The following steps show you how to configure Syskey to require the person using the machine to enter the startup key each time the system boots.

I suggest playing in a Virtual Machine before using this for real - make sure you remember the password(phrase) as you'll be looking at a system recovery otherwise!

Whilst logged in as an Administrator click on "Start, Run", enter "syskey" and click on "OK" (or hit return) - alternatively type "syskey" from the command line. You'll receive the following interface...

Click on "Update" to proceed to the following interface...

Click on "password startup" and enter your password(phrase) - make sure you write this down and store it somewhere safe unless you're 100% sure you won't forget it.

Click on "OK" 

Note of caution! The changes will have already been made to the system at this point - even if you "Turn off" a virtual machine they will still take effect @ the next reboot.

When the system comes back up you'll see the following dialog 

Once you enter the computer startup key the system will proceed to the GINA (Graphical Interface for Network Authentication) that you normally see - by default it's the standard "Control-Alt-Delete" screen - now login as normal.

To reverse the change simply run "Syskey" again (whilst logged in with Administrative privilege) and select "System Generated Password" and take the default of "Store startup key locally" at which point you'll be prompted to enter the startup key you chose previously.

One last observation: You can enter the startup key incorrectly as many times as you like at this stage though at boot time you only get three attempts before the system reboots.

There's an old vulnerability bulletin that explains more about Syskey and it's use.