Disabling LM Hash creation

[rusga]

Hi,

In MS checklist
( http://207.46.156.156/technet/images/security/prodtech/win2000/win2khg/images/win2k45_BIG.gif
) there's the possibility of disabling the creation of LM hashes by
creating the folowing new key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLM Hash

.... but, unfortunately, it doesn't seem to work since LC4 cracker still
get's them.

What am I doing wrong here?

Thanks,
rusga

 

[rusga]

.... furthermore, I also changed passwords to see if it was only in the
*creation* process of new passwords that this feature would be supressed.
But, still creates them.

Regards,
rusga

 

[rusga]

Oops! That's it.

I'll try it and post back.

Thank you,
rusga

 

[rusga]

Ok...

What I did was:

a) Changed the key to "NoLMHash" (no spaces).
b) Rebooted the system.
c) Changed the passwords.
d) Tried to crack them with LC4.

.... the setting was now active, but according to LC4, what happened was:

a) The LM and NTLM passwords changed to an *empty* state to all users
afected.
b) The LM and NTLM hashes *were created anyway*.
c) The LM and NTLM hashes were *the same for all users* afected (same
empty seed).

Now, these few questions arise:

a) Isn't this a worse security scenario?
b) Shouldn't the key be renamed to "Blank_LM/NTLM_Passwords" (or the like)?
c) Am I seeing it wrongly?

Regards,
rusga

 

[Mark V]

Hi,

In MS checklist
( http://207.46.156.156/technet/images/security/prodtech/win2000/wi
n2khg/images/win2k45_BIG.gif ) there's the possibility of
disabling the creation of LM hashes by creating the folowing new
key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLM Hash

... but, unfortunately, it doesn't seem to work since LC4 cracker
still get's them.

What am I doing wrong here?

I think the KeyName is: NoLMHash
If you had a SPACE in there (as did your cited (but incorrect)
article) it would fail.

There is a Group Policy that would probably be better and easier to
use.

KBA 299656
"How to prevent Windows from storing a LAN manager hash of your
password in Active Directory and local SAM databases"

 

[Mark V]

Ok...

What I did was:

a) Changed the key to "NoLMHash" (no spaces).
b) Rebooted the system.
c) Changed the passwords.
d) Tried to crack them with LC4.

... the setting was now active, but according to LC4, what
happened was:

a) The LM and NTLM passwords changed to an *empty* state to all
users afected.
b) The LM and NTLM hashes *were created anyway*.
c) The LM and NTLM hashes were *the same for all users* afected
(same empty seed).

Now, these few questions arise:

a) Isn't this a worse security scenario?
b) Shouldn't the key be renamed to "Blank_LM/NTLM_Passwords" (or
the like)? c) Am I seeing it wrongly?

I cannot answer that. If no response here, re-post. Probably in one
of the MS security groups.