Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

Removing the LAN Manager Hash using Group Policy

Posted on 2012-03-21
6
Medium Priority
?
589 Views
Last Modified: 2012-03-28
I'm gearing up for a security audit and one thing I'd like to try is removing the lm hash file from my machines.  It looks like a simple GP change:

http://support.microsoft.com/kb/299656

I'm just curious how exactly this should work.  From what I've read the LM hash is stored in the c:\windows\system32\config folder in a SAM file.  Once I create the new policy should that file be gone from the machine?  I need a way to confirm that its doing what I think it should be doing.
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 6

Expert Comment

by:dave_it
ID: 37747929
My understanding of that setting is that a workstation will not store the LAN Manager hash starting the next time a password is changed.  So it's not an immediate elimination of the LM hash, but it will eventually go away as long as users are forced to change their passwords regularly.
0
 
LVL 1

Author Comment

by:First Last
ID: 37747941
Ouch, the audit is on Wednesday of next week.  Let me dig around and see if I can find more info on that one, I'm testing now as well.  Thanks for the tip!
0
 
LVL 1

Author Comment

by:First Last
ID: 37748261
Are you sure we're talking about the same policy?  I see two similar options:

Network security:  Do not store LAN manager hash value on next password change

and

Network security:  Do not allow storage of passwords and credentials for network authentication

I'm using the second option.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:First Last
ID: 37748416
So I've been testing and my plan was to compare the size of the SAM file after making the change.  I discovered that each SAM file is exactly 256kb on every machine I've checked, even on different operating systems.  So I don't think my plan to verify its working would be valid if the file size does not change.

Any way for me to easily check this?
0
 
LVL 1

Accepted Solution

by:
First Last earned 0 total points
ID: 37757361
As it turns out domain accounts are not stored in the SAM file but in the registry.  The only way I could find to remove stored accounts after the GPO change is manually visiting each station
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 37775752
Found my own solution
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question