Securing the SAM Database
The Security Account Manager (SAM) Database is stored in the registry on workstations and member servers. It stores the usernames and passwords for the domain or local workstation.
As this database contains usernames and passwords it is of extreme importance. If an intruder could gain access and retrieve domain usernames and passwords, especially for the administrator account, then he or she could have full access to the network.
Attackers know that the administrator username and password is the target to aim for and the SAM is the first place they will usually try to access. There are numerous password-cracking programs specifically designed to gain access to the SAM database usernames and passwords. Microsoft recommends using the syskey utility to protect the SAM. This program encrypts the SAM database to make it more difficult to crack.
When you run the syskey.exe utility, you will see the dialog box shown in the first screenshot below. This shows if the SAM database encryption is enabled or disabled. In this case, it is already enabled. If you click Update, you will see the dialog box shown in the second screenshot.
The Update box allows you to view your current syskey settings as well as change them. As you can see from the picture, this system is currently set to store the syskey locally, as part of the operating system. With this setting both encryption and password are transparent to the user. The other two options are to require the syskey to be entered each time the system starts or to have the syskey located on a floppy disk that must be inserted when the system boots. While these might be a bit extreme for regular PC, they are good ways of protecting domain controllers.
DF9R 35:: Network Infrastructure 1: Implementation and Management (c) 2009 SQA