Somewhere on the Microsoft web site, (security section?) they have an
article on how to turn off (via the registry) the Lan Manager hash
for Win NT 4.0. Its a pity Microsoft didn't port the full NT PPTP
implementation as part of the Dial-Up 1.2 upgrade. One would hope
Microsoft won't make the same mistake with the KERBEROS port for
NT 5.0 and offer support in the Memphis release....
Personal Opinions provided by
Leonard Miyata
aka leonard @
geminisecure .
com
On Sun, 2 Nov 1997, Russ wrote:
> >So there's no way to force the NT server to refuse LanMan hashes?
> That'd
> >be the easiest and most obvious way to avoid the issue; must mean that
> >it's impossible. :-(
>
> I honestly don't think its a matter of being impossible, as surely it
> isn't. One thing I would look for, however, is just whether or not all
> NT functions that involve hashes are done using NT hashes only (this
> would be a logical extrapolation of their statement that LM hashes are
> only removed if enforced on both the server *and* the client).
>
> I do think its a matter that to do so would prevent the use of Win95,
> and I believe MS feels this setting would cause to many support issues.
> It would also glaringly focus attention on the insecurities of Win95
> (not that they try and say it is secure, just that they probably don't
> want it pointed out so vividly).
>
> Humble opinions all of my own.
>
> Cheers,
> Russ
>
>
References:
|
|
