Friday, June 27

Document1

NoLMHash Continued

 

 

Ok, due to earlier conflicts I went into my lab and tested a few things.

 

First, for Windows 2000, NoLMHash is configured by adding a Key under LSA in the registry.  Values are ignored in Windows 2000.

 

Using Group Policy to manage the values for Windows 2003 and XP does work, but does not take effect until a reboot is performed.  Further, group policy applies and manages values (instead of keys) on Windows 2000 systems.  As mentioned earlier, this has no effect on Windows 2000 and should be a bug.  I talked to several people at MS and because 2000 is fairly old, this will not be fixed.  It really shouldn't try to write the values to 2000 system at all through group policy.  The only way to prevent this is to create a group with all your 2000 systems and deny it from applying the policy that manages NoLMHash.

 

I also mentioned to MS that settings managed with Group Policy should not require a reboot before the take effect.  My contact is investigating, but I'm doubtful that this will get resolved either.  Support told me that they didn't know you could set this with Group Policy until I sent  them their own KB.

 

More testing to be done to make sure everything gets applied correctly. 

 

Too many servers, too little time for crappy code.

 

 

Posted by at No comments:

Wednesday, June 25

NoLMHash

NoLMHash

 

 

Wow, I've been digging into the LAN Manager settings and how things are used in recent versions of Windows (2000, 2003, XP & 2008).  There's a lot of bad information out there!

 

I'll pick today on the NoLMHash settings since I've been looking at Windows 2000 today.

 

First, if I just google "nolmhash" I get the following links in the top 3:

 

How to prevent Windows from storing a LAN manager hash of your ...

- 4 visits - 9:56am

Method 2: Implement the NoLMHash Policy by Editing the Registry ... Important The NoLMHash registry key and its functionality were not tested or documented ...

support.microsoft.com/kb/299656 - Similar pages - Note this

NoLMHash

NoLMHash. HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Data type, Range, Default value. REG_DWORD. 0 | 1. 0. Description. Determines whether Security Accounts ...

www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/96415.mspx - 7k - Cached - Similar pages - Note this

NoLMHash

NoLMHash. Updated: March 28, 2003. NoLMHash. HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Data type, Range, Default value. REG_DWORD. 0 | 1. 0. Description ...

technet2.microsoft.com/windowsserver/en/library/008f982b-a1b0-4a73-a781-d46a49f8498a1033.mspx - 8k - Cached - Similar pages - Note this

 

Pasted from <http://www.google.com/search?q=nolmhash&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a>

 

The last two are resource kit references for Windows Server 2000 and 2003 respectively.  Both show the same information, specifically that NoLMHash is a dword value.

 

NoLMHash

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

Data type

Range

Default value

REG_DWORD

0 | 1

0

Description

Determines whether Security Accounts Manager (SAM) stores the LAN Manager (LM) hash of the user's password. The LM hash of the user's password is necessary to authenticate downlevel clients that cannot use NTLM or NTLMv2 authentication.

Value

Meaning

0

SAM stores the message digest of the user's password.

1

SAM does not store the message digest of the user's password.

 

Pasted from <http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/96415.mspx>

 

 

Great you say…. But, if you look at the first referenced returned by google, you get the following information for configuring the NoLMHash Policy on Windows 2000.

 

Step 3.  On the Edit menu, click Add Key, type NoLMHash, and then press ENTER.

 

Pasted from <http://support.microsoft.com/kb/299656>

 

Hey it’s a Key!!!!  There is an note that says its ok for the Key and Value to exist in the same policy template.

 

So for Windows 2003 & XP it’s a dword value…. On Windows 2000 it might be a key!

 

This week I'll be testing the following to see MS actually does with these values.

 

1.       Windows 2000 - NoLMHash Key verses value

2.       Windows 2000 - Does an upgrade convert the Key to a value.

3.       Windows 2003/XP - Does implementing using group policy take immediate effect without requiring a reboot (KB299656 seems to indicate that).

4.       Impact on LM Hash History - KB299656 says that Windows 2000 the history will be removed as you change passwords.  For Windows 2003 & XP the history is cleared when you complete the steps for editing the registry.  No indication is giving of the impact on the LM Hash history when using Group Policy.

 

 

 

Posted by at No comments:
Subscribe to: Posts (Atom)