Removing the NTLM Hashes from the AD & SAM?

From: Parth Galen (parth_galen@lycos.com)
Date: 03/04/02

• Previous message: pen test: "Transfer files open shares vs ftp"
• Next in thread: Bronek Kozicki: "Re: Removing the NTLM Hashes from the AD & SAM?"
• Reply: Bronek Kozicki: "Re: Removing the NTLM Hashes from the AD & SAM?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 4 Mar 2002 13:38:25 -0000
From: Parth Galen <parth_galen@lycos.com>
To: focus-ms@securityfocus.com

('binary' encoding is not supported, stored as-is)

In the Microsoft Article Q299656 “Removing the
NTLM Hashes from the AD & SAM”, states to remove
the LM hash from these you must create a registry
key.

 In the article the following steps are outlined.
Edit the following registry key:
        HKEY_LOCAL_MACHINE\System\CurrentC
ontrolSet\Control\Lsa
        Add new Key:
        Key Name: NoLMHash

Once the registry key is set, the LM hash for a user
account is not removed until the next time the user
changes his or her password. Therefore, in addition
to setting this key, we also need to ensure that all
users change their password.

The registry key is not removing the LM Hash from
the AD & SAM. This is the only key the article
Q299656 refers to on a W2K or Windows NT
machine.

Need the conclusion of the article there is a reference
to the XP systems, and you must enter the following
registry key and value.

In the article the following steps are outlined.
Edit the following registry key:
        HKEY_LOCAL_MACHINE\System\CurrentC
ontrolSet\Control\Lsa
        Add Value:
        Value name: NoLMHash
        Data Type: REG_DWORD
        Radix: Decimal
        Value Data: 1

Should there be a value set for the W2K and
Windows NT version? Is the value and registry key
the same. How do we remove the LMHash from the
AD & SAM. Please advise on the registry key we
need to enter.

Thank in advance for your time and effort!
Parth

---

• Previous message: pen test: "Transfer files open shares vs ftp"
• Next in thread: Bronek Kozicki: "Re: Removing the NTLM Hashes from the AD & SAM?"
• Reply: Bronek Kozicki: "Re: Removing the NTLM Hashes from the AD & SAM?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Lotus Notes .id file pw recover (Was Cached NT/W2k passwords) ... Subject: Cached NT/W2k passwords ... > Has anyone been able to decrypt the hash password from ... If you're talking about the CachedLogonsCount registry key, ... and there is no publicly available tool to decrypt the ... (Pen-Test) Re: Cached NT/W2k passwords ... > Has anyone been able to decrypt the hash password from ... If you're talking about the CachedLogonsCount registry key, there has been a thread 2 weeks ago on ... there is no publicly available tool to decrypt the hash. ... (Pen-Test) Re: Cached NT/W2k passwords ... > Has anyone been able to decrypt the hash password from ... If you're talking about the CachedLogonsCount registry key, there has been a thread 2 weeks ago on ... there is no publicly available tool to decrypt the hash. ... (Pen-Test) Re: SharePoint reinstall fails ... For future references in case you need to do it again the ... registry key deletes and port 'adjustments' are a key step to the procedure. ... it, removing the virtual server, removing the Application pool and any ... seems to work till I then try to configure the configuration database. ... (microsoft.public.windows.server.sbs) Most recently used file list ... remove the ntire list by removing a registry key. ... to be able to limit this list to say 3 or 4 entries. ... Kevin Rudd ... (microsoft.public.exchange.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2002-03