Following my last post there were some comments asking questions - I'd like to make sure that anyone who might have read that post sees this & I know that not everyone reads the comments.
Syskey CAN be used to store the computer startup key on a USB token - the drivers load before the system prompts for the key - I've experience of storing the key on a USB token for both Windows XP and Server 2003. The trick is to take the option to store the key "on a floppy disk" from the interface and take the defaults - make sure your USB token is inserted once you're prompted to insert a floppy disk.
A word of caution - if your system has a floppy drive attached then the computer start up key WILL be stored on the floppy disk - if you don't insert a writable disk into the drive then you'll find that the interface goes into a loop where you're constantly prompted to enter a disk! You could of course kill the process but I don't recommend that as the results could be unpredictable.
Hi Steve, Thanks for posting this (and the previous article). What I'm not sure about is how using syskey to store the startup keys on a USB token differs from using two factor authentication at the GINA prompt. Can you elaborate?
Mark> A good question. Using two factor authn certainly increases the assurity that the user is who they claim to be. The beauty of storing the startup keys on an external device is that the machine itself couldn't start without them.
If someone gains physical access to your system them could boot into an alternative operating system instance (Windows or LINUX), and then recover the startup keys (if they are still present on the system) and subsequently butcher the user authn system and gain access.
PingBack from http://www.youknowone.co.uk/blog/2005/12/httpmark-wilsonblogspotcom200512securing-your-windows-computer-withhtm.htm
PingBack from http://www.youknowone.co.uk/blog/2005/12/securing-your-windows-computer-with.htm
PingBack from http://markwilson.me.uk/blog/2005/12/securing-your-windows-computer-with.htm