Dangers of toggling Syskey modes

[Martin Weld]

For a laptop not joined to a domain, what issues could
arise in ongoing toggling from Syskey Mode 1 (the default,
where the key is stored obfuscated on the local machine) to
Syskey Mode 2 (user provided password at boot).

The scenario is enabling Syskey in Mode 2 while traveling,
then toggling to Syskey Mode 1 at home (when physical
access can be assured).

One possible concern is losing access to EFS encrypted
files over time as a result of an inability to decrypt
master keys (which would be encrypted by Syskey).

 

[Steve Riley [MSFT]]

What threat do expect to mitigate by changing the syskey mode?

 

[Martin Weld]

As a best practice to prevent the system from being booted
by malicious users, and to thwart offline attacks against
encrypted data.

Toggling to and from syskey modes 1 and 2 may be
preferable, when at home as a convenience for occasional
traveling user, to the ongoing presence of a boot floppy
which may be lost, stolen, or damaged.

But there may be risks associated with toggling Syskey modes.

 

[Steve Riley [MSFT]]

If an attacker steals your computer, she could remove the hard drive, mount
it in another computer, and launch attacks that way.

The best way to mitigate this problem is not to get your computer stolen.
Perhaps it seems flippant, but it's true. Remember: if a bad guy gets hold
of your computer, it isn't your computer anymore.

 

[Martin Weld]

Often the best mitigation strategy is not feasible. Such is
the case when enforcing the "our computers shall never be
stolen" policy.

XP's syskey modes 2 and 3 were engineered to mitigate the
offline attack described.

So yes, definitely it was flippant (treating serious things
lightly).