Security

Use the Windows 2000 System Key (SysKey) to protect EFS private keys. SysKey uses strong encryption techniques to increase the protection of users protected stores, including users private keys for EFS.

To configure system key protection

  1. Type syskey at the command prompt. This brings up the dialog box shown in Figure 13.7.

    Cc961712.prdd_07(en-us,TechNet.10).gif
    Figure 13.7 System Key Dialog Box
    After system key protection is enabled, it cannot be disabled.

  2. If it is not already selected, click Encryption Enabled , and then click OK . After a reminder that you should create an updated emergency repair disk, you are presented with options for the Account Database Key as shown in Figure 13.8. The default option is a system-generated password that is stored locally. Cc961712.prdd_08(en-us,TechNet.10).gif
    Figure 13.8 Account Database Key Dialog Box

  3. Select the system key option that you want, and then click OK .

  4. Restart the computer.

When the system restarts, you might be prompted to enter the system key, depending on the key option you chose. Windows 2000 detects the first use of the system key and generates a new random password encryption key. The password encryption key is protected with the system key, and then all account password information is strongly encrypted.

At subsequent startups:

  • Windows 2000 obtains the system key, either from the locally stored key, the password entry, or insertion of a floppy disk, depending on the option you chose.

  • Windows 2000 uses the system key to decrypt the master protection key.

  • Windows 2000 uses the master protection key to derive the per-user account password encryption key that is then used to decrypt the password information in Active Directory or the local SAM registry key.

The syskey command can be used again later to change the system key storage option or to change the password.