Solved

Removing the LAN Manager Hash using Group Policy

Posted on 2012-03-21
6
578 Views
Last Modified: 2012-03-28
I'm gearing up for a security audit and one thing I'd like to try is removing the lm hash file from my machines.  It looks like a simple GP change:

http://support.microsoft.com/kb/299656

I'm just curious how exactly this should work.  From what I've read the LM hash is stored in the c:\windows\system32\config folder in a SAM file.  Once I create the new policy should that file be gone from the machine?  I need a way to confirm that its doing what I think it should be doing.
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 6

Expert Comment

by:dave_it
ID: 37747929
My understanding of that setting is that a workstation will not store the LAN Manager hash starting the next time a password is changed.  So it's not an immediate elimination of the LM hash, but it will eventually go away as long as users are forced to change their passwords regularly.
0
 
LVL 1

Author Comment

by:First Last
ID: 37747941
Ouch, the audit is on Wednesday of next week.  Let me dig around and see if I can find more info on that one, I'm testing now as well.  Thanks for the tip!
0
 
LVL 1

Author Comment

by:First Last
ID: 37748261
Are you sure we're talking about the same policy?  I see two similar options:

Network security:  Do not store LAN manager hash value on next password change

and

Network security:  Do not allow storage of passwords and credentials for network authentication

I'm using the second option.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 1

Author Comment

by:First Last
ID: 37748416
So I've been testing and my plan was to compare the size of the SAM file after making the change.  I discovered that each SAM file is exactly 256kb on every machine I've checked, even on different operating systems.  So I don't think my plan to verify its working would be valid if the file size does not change.

Any way for me to easily check this?
0
 
LVL 1

Accepted Solution

by:
First Last earned 0 total points
ID: 37757361
As it turns out domain accounts are not stored in the SAM file but in the registry.  The only way I could find to remove stored accounts after the GPO change is manually visiting each station
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 37775752
Found my own solution
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question