Syskey encryption (Windows)

Module: Password Strength

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check verifies that syskey encryption is enabled. If the value of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoot is 1(key in registry), 2(Enter manually at startup) or 3(key on floppy), password database on this machine is syskey encrypted. This check reports when the key is not present or key value is other than 1, 2 or 3.

The following table lists the error message for the check.

Table: Error message for Syskey encryption

Message String ID and Category	Platform and Message Numeric ID	Message Title and Description	Additional Information
String ID: ESM_SYSKEY_NOT_ENABLED Category: Policy Compliance	Windows 2000 (105340) Windows 2003 (205340) Windows 2008 (248340) Windows Vista (228340) Windows XP (200340)	Title: Passwords not encrypted with syskey Description:The password database on this machine has not been encrypted with syskey.	Severity: yellow-1 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_SYSKEY_NOT_ENABLED

Category: Policy Compliance

Windows 2000 (105340)
Windows 2003 (205340)
Windows 2008 (248340)
Windows Vista (228340)
Windows XP (200340)

Title: Passwords not encrypted with syskey

Description:The password database on this machine has not been encrypted with syskey.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]