• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 593
  • Last Modified:

Removing the LAN Manager Hash using Group Policy

I'm gearing up for a security audit and one thing I'd like to try is removing the lm hash file from my machines.  It looks like a simple GP change:

http://support.microsoft.com/kb/299656

I'm just curious how exactly this should work.  From what I've read the LM hash is stored in the c:\windows\system32\config folder in a SAM file.  Once I create the new policy should that file be gone from the machine?  I need a way to confirm that its doing what I think it should be doing.
0
First Last
Asked:
First Last
  • 5
1 Solution
 
dave_itCommented:
My understanding of that setting is that a workstation will not store the LAN Manager hash starting the next time a password is changed.  So it's not an immediate elimination of the LM hash, but it will eventually go away as long as users are forced to change their passwords regularly.
0
 
First LastAuthor Commented:
Ouch, the audit is on Wednesday of next week.  Let me dig around and see if I can find more info on that one, I'm testing now as well.  Thanks for the tip!
0
 
First LastAuthor Commented:
Are you sure we're talking about the same policy?  I see two similar options:

Network security:  Do not store LAN manager hash value on next password change

and

Network security:  Do not allow storage of passwords and credentials for network authentication

I'm using the second option.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
First LastAuthor Commented:
So I've been testing and my plan was to compare the size of the SAM file after making the change.  I discovered that each SAM file is exactly 256kb on every machine I've checked, even on different operating systems.  So I don't think my plan to verify its working would be valid if the file size does not change.

Any way for me to easily check this?
0
 
First LastAuthor Commented:
As it turns out domain accounts are not stored in the SAM file but in the registry.  The only way I could find to remove stored accounts after the GPO change is manually visiting each station
0
 
First LastAuthor Commented:
Found my own solution
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now