From: Mike N. 

On Thu, 21 Oct 2004 21:12:35 -0500, "Geo"  wrote:

>How do you prevent that, if they have access to the machine can't they just
>run a backup and get access for LC5 that way or just do a second install and
>gain access that way or use NTFS driver?

  The additional step that I didn't know in the previous message is that I
need to run Syskey and select mode 2 or 3.  Although the SAM and LSA are
encrypted in the default mode 1, the decryption key is merely obfuscated
with the decryption key stored on the machine.  Physical access to the
machine can easily open up the SAM and eventually give up the EFS keys.

 http://www.microsoft.com/technet/security/news/efs.mspx

    I have selected mode 2 with a long "pass phrase" so I have to enter an
additional computer password before even seeing the login screen when
booting up.    This finally decrypts the SAM.  There are no shortcuts to
hacking the SAM encryption without a great deal of computing power; with
Triple DES, they'll have to move on to the next stolen laptop.  There are
no precomputed password or passphrase tables as there are with LM hashes.

   Although mode 3 (machine-generated password) and the password floppy
disk would be even more secure, there are practical issues when traveling.
The floppy would generally be in proximity to the laptop and I could easily
end up losing both at the same time.   Alternatively if it's not kept with
the laptop, I'd be likely to forget to take it with me when I need laptop
access.   If it's damaged, I'm hosed until I get a backup copy from
somewhere.

--- BBBS/NT v4.01 Flag-5