Do not store LAN Manager hash value on next password change

  • 175 Views
  • Last Post 13 February 2017
  • Topic Is Solved
minwar posted this 07 February 2017

Hi, I have been monitoring the netlogon logs and so far there are no indications of LM usage.  I have a few questions around switching this setting on though.  What is the backout for this if you switch it on a bunch of accounts change their passwords and something comes out of the woodwork? Restoring the user object?  Also presumably this is replicated change ie you cant security filter the setting so that one DC has the LM hash and another doesnt. 

Order By: Standard | Newest | Votes
daemonr00t posted this 07 February 2017

LanManager has is outdated and deprecated. It should be in use.

https://technet.microsoft.com/en-us/library/jj852276.aspx



I’m amazed you are using it.

 

 

~danny CS


Sent from Mail for Windows 10

 

show

minwar posted this 07 February 2017

It almost certainly wont be in use but I still need a back out plan for the change control.  And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.

SmitaCarneiro posted this 09 February 2017

Can you audit this before switching it off? I know you can audit NTLM.

 

Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906

 

show

minwar posted this 10 February 2017

@Smita  - Yes you can get this from netlogon logs.  See:

https://blogs.technet.microsoft.com/askds/2012/02/02/purging-old-nt-security-protocols/

show


From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]

On Behalf Of martyn78@xxxxxxxxxxxxxxxx


Sent: Tuesday, February 7, 2017 9:39 AM


To: activedir@xxxxxxxxxxxxxxxx


Subject: re: [ActiveDir] Do not store LAN Manager hash value on next password change

 



It almost certainly wont be in use but I still need a back out plan for the change control.  And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.

------------------------------------------------------------------------------------

This message was posted over our web site



http://www.activedir.org/thread/do-not-store-lan-manager-hash-value-on-next-password-change/


You can still reply to this thread by email and also over the web site.

Tip: You can mark this post as the 'solution' if so desired using the above link.



Forum info: http://www.activedir.org Problems unsubscribing? Email

admin@xxxxxxxxxxxxxxxx

Ravi.Sabharanjak posted this 10 February 2017

When you enable this setting to not have the hash stored, does it clear the existing stores hash? If not, does each account need to go through a password change to get rid of the hashes? Is there a manual way to clear the hashes?
Thanks,-Ravi
On Feb 9, 2017 9:30 AM, "Carneiro, Smita A." <carneiro@xxxxxxxxxxxxxxxx> wrote:
















Can you audit this before switching it off? I know you can audit NTLM.

 

Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906

 

show

chriss3 posted this 10 February 2017

The hashes do not get cleared, they just don’t get updated on the next password change/set. The old LM hash remains as long as the object remains, new objects created after this setting simply have the null AAD3B435B51404EE value if I re-call correctly. 

show

minwar posted this 13 February 2017

The hashes do not get cleared, they just don’t get updated on the next password change/set. The old LM hash remains as long as the object remains, new objects created after this setting simply have the null AAD3B435B51404EE value if I re-call correctly. 

show

So is it reversible?  ie you disable the GPO setting does LM hash get updated/created on subsequent password change?


Sent: den 10 februari 2017 13:04
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Do not store LAN Manager hash value on next password change When you enable this setting to not have the hash stored, does it clear the existing stores hash? If not, does each account need to go through a password change to get rid of the hashes? Is there a manual way to clear the hashes? Thanks,-Ravi On Feb 9, 2017 9:30 AM, "Carneiro, Smita A." <carneiro@xxxxxxxxxxxxxxxx> wrote:Can you audit this before switching it off? I know you can audit NTLM. Smita Carneiro, GCWNActive Directory Systems EngineerIT Security and PolicyRoss Enterprise Center3495 Kent Avenue, Suite 100West Lafayette, IN 47906 From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of martyn78@xxxxxxxxxxxxxxxx
Sent: Tuesday, February 7, 2017 9:39 AM
To: activedir@xxxxxxxxxxxxxxxx
Subject: re: [ActiveDir] Do not store LAN Manager hash value on next password change It almost certainly wont be in use but I still need a back out plan for the change control.  And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.------------------------------------------------------------------------------------This message was posted over our web site http://www.activedir.org/thread/do-not-store-lan-manager-hash-value-on-next-password-change/You can still reply to this thread by email and also over the web site.Tip: You can mark this post as the 'solution' if so desired using the above link.Forum info: http://www.activedir.org Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx  

chriss3 posted this 13 February 2017

Yes. But the LMHash will then be out-of-sync but will be updated again on the next password change. 

show

  • Liked by
  • minwar
minwar posted this 13 February 2017

Thanks Chris. That goes some way to calm my fears then. 

Close