Solved

Removing the LAN Manager Hash using Group Policy

Posted on 2012-03-21
6
568 Views
Last Modified: 2012-03-28
I'm gearing up for a security audit and one thing I'd like to try is removing the lm hash file from my machines.  It looks like a simple GP change:

http://support.microsoft.com/kb/299656

I'm just curious how exactly this should work.  From what I've read the LM hash is stored in the c:\windows\system32\config folder in a SAM file.  Once I create the new policy should that file be gone from the machine?  I need a way to confirm that its doing what I think it should be doing.
0
Comment
Question by:First Last
  • 5
6 Comments
 
LVL 6

Expert Comment

by:dave_it
ID: 37747929
My understanding of that setting is that a workstation will not store the LAN Manager hash starting the next time a password is changed.  So it's not an immediate elimination of the LM hash, but it will eventually go away as long as users are forced to change their passwords regularly.
0
 
LVL 1

Author Comment

by:First Last
ID: 37747941
Ouch, the audit is on Wednesday of next week.  Let me dig around and see if I can find more info on that one, I'm testing now as well.  Thanks for the tip!
0
 
LVL 1

Author Comment

by:First Last
ID: 37748261
Are you sure we're talking about the same policy?  I see two similar options:

Network security:  Do not store LAN manager hash value on next password change

and

Network security:  Do not allow storage of passwords and credentials for network authentication

I'm using the second option.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:First Last
ID: 37748416
So I've been testing and my plan was to compare the size of the SAM file after making the change.  I discovered that each SAM file is exactly 256kb on every machine I've checked, even on different operating systems.  So I don't think my plan to verify its working would be valid if the file size does not change.

Any way for me to easily check this?
0
 
LVL 1

Accepted Solution

by:
First Last earned 0 total points
ID: 37757361
As it turns out domain accounts are not stored in the SAM file but in the registry.  The only way I could find to remove stored accounts after the GPO change is manually visiting each station
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 37775752
Found my own solution
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
extend monitor issues 6 28
TLS/SSL Diable 3DES ciper suites 4 27
How to create scheduled tasks in windows 10 via GPO 5 26
Locating a GPO setting 3 24
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question