NTLM user authentication on windows
The account passwords of all users in the Windows operating system are stored in the Secure Account Manager (SAM) database. If the Windows has enabled domain services (above winserver2008), the account passwords of domain users are stored in the Active Directory database. Of course this database also stores user records.
Each user account has two passwords. A LAN password and a Windows password. Each password is encrypted and stored in the SAM database or in the Active Directory database.
LAN passwords are based on the OEM character set and are not case sensitive. Windows passwords are based on the unicode character set and are case sensitive. And Windows passwords can be up to 128 characters long.
System account database encryption
By default, the login information of all user accounts in the windows server2003/2008 system is stored in the sam file in the windows/system/config directory. Of course the administrator account is no exception. Protecting the file will indirectly protect the security of the administrator account. Usually it can be achieved by encryption. Syskey is a special tool for account database encryption built into the Windows system. After encryption, even if the intruder obtains the encrypted SAM file, the user name and password information in it cannot be obtained.
Open the syskey dialog box, the system will select the "Enable encryption" option by default.
We can directly click the OK option to directly encrypt the SAM file twice.
If we click the "Update" option
, here we can set the password of windows to start,
which is equivalent to secondary encryption for windows.
When Windows starts, the interface will pop up:
Of course, we can also delete the system account database, but this operation is only applicable to windows server 2003, not applicable to windows server 2008. After Windows Server 2003 is installed by default, a SAM backup will be automatically saved in the windows/repair directory. In order to prevent the original password from being leaked, we need to delete this backup file.
Of course, in the windows2008 system, we have added a new function: "credwiz", which can help administrators to backup and restore all user account information. Under normal circumstances, the Windows Server 2008 server saves the user account information of all clients. Once encountering a system failure, the information is likely to be destroyed and expanded. If the manual method is used to re-enter each user account information, it is not only a lot of work, but also prone to errors.
① Click the "Start" button, enter 'credwiz' in the "Start Search" text box, and press "enter", the following interface will appear:
② You can choose to backup user password or restore user password. Here we recommend saving on floppy disks and removable hard disks, and avoid storing them on your local computer.
③ Then when backing up, you are also required to enter a password, which is the password used for the backup file. This password must meet the password complexity requirements of Windows Server 2008.