RE: Disabling LM Hash creation

From: Karl Levinson [x y], mvp (levinson_k_at_despammed.com)
Date: 09/30/04 

Date: Thu, 30 Sep 2004 09:05:01 -0700

"rusga" wrote:

> .... the setting was now active, but according to LC4, what happened was:
>
> a) The LM and NTLM passwords changed to an *empty* state to all users
> afected.
> b) The LM and NTLM hashes *were created anyway*.
> c) The LM and NTLM hashes were *the same for all users* afected (same
> empty seed).
>
> Now, these few questions arise:
>
> a) Isn't this a worse security scenario?

No, not if you can't use those hashes to log in. If there was a way to use
those hashes [like if an attacker was somehow able to change that registry
value back and reboot the machine, and if this allowed you to log in using
blank passwords], then I suppose that could be a problem. But it remains to
be seen whether that scenario is even possible, and even if it was, you would
probably need to somehow gain administrator privileges to change that
registry value, at which point you already own the machine anyways without
needing to reboot.

> b) Shouldn't the key be renamed to "Blank_LM/NTLM_Passwords" (or the like)?

If you did, you'd cause backwards compatibility issues and have problems
with consistency when templates for one OS is accidentally applied to other
OSes. Unfortunately there are a lot of registry values with cryptic or
misleading names. Keeping registry value names short might help keep the
registry smaller, which might help enhance performance. The NoLMHash name
might still be accurate if this value makes it so that no valid LM hashes can
be used or cracked.

Relevant Pages

  • Re: Disabling LM Hash creation
    ... >> a) Isn't this a worse security scenario? ... not if you can't use those hashes to log in. ... > registry value, at which point you already own the machine anyways ... > needing to reboot. ...
    (microsoft.public.win2000.security)
  • W2K SAM passwords not in the registry?
    ... registry file & others that interact with the registry. ... the user hashes untouched? ... What tools can strip the SYSKEY hashes from the SAM file & dump the ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Perl Hash problem (with registry)
    ... I'm very new at using hashes and Perl on registry. ... the secondary goal is to learn to use hashes. ... Apparently the data is stored as a hash inside a hash. ... Originally that was "DisplayName". ...
    (comp.lang.perl.misc)