Do Not Store LAN Manager Hash Value
This is actually a tweak. NoLMHash is the name of the Registry value (on Windows XP and Server 2003) or key (Windows 2000) that you set to turn on this tweak. In Group Policy on Windows XP and higher, the setting is called "Network Security: Do not store LAN Manager hash value on next password change."
Using this setting, you can turn off creation of LM hashes across a domain or system. Ideally, this setting will never have any direct impact on security because if it does it means your domain controller has been hacked; but just in case, we recommend disabling storage of LM hashes. In most cases, the primary benefit of this setting is that it breaks compatibility with Windows 9x.
NOTE: If bad guys have access to your password hashes, you have already been hacked. Cracking hashes will not give them any additional access on the domain where they came from. Cracking hashes will only allow them to access other domains where the same users are using the same passwords. In addition, with the proper tools, attackers do not need to crack passwords at all; they can use the hashes directly. Therefore, the actual security benefit of turning off LM hash storage is realistically quite minimal.
Read more : ms lan manager
Comments
Post a Comment