Document1

NoLMHash Continued

 

 

Ok, due to earlier conflicts I went into my lab and tested a few things.

 

First, for Windows 2000, NoLMHash is configured by adding a Key under LSA in the registry.  Values are ignored in Windows 2000.

 

Using Group Policy to manage the values for Windows 2003 and XP does work, but does not take effect until a reboot is performed.  Further, group policy applies and manages values (instead of keys) on Windows 2000 systems.  As mentioned earlier, this has no effect on Windows 2000 and should be a bug.  I talked to several people at MS and because 2000 is fairly old, this will not be fixed.  It really shouldn't try to write the values to 2000 system at all through group policy.  The only way to prevent this is to create a group with all your 2000 systems and deny it from applying the policy that manages NoLMHash.

 

I also mentioned to MS that settings managed with Group Policy should not require a reboot before the take effect.  My contact is investigating, but I'm doubtful that this will get resolved either.  Support told me that they didn't know you could set this with Group Policy until I sent  them their own KB.

 

More testing to be done to make sure everything gets applied correctly. 

 

Too many servers, too little time for crappy code.