|
Division of IT: Security
Best Practices: LMHASH Removal
On June 15, 2008, the Division of IT will be configuring the UM Active Directory domain to no longer store LMHASH passwords. This change will go into effect for users the next time they change their password. The campus Active Directory domains have already been configured to not store LMHASH passwords.
The reason for this change is that LMHASH passwords are an inherently insecure cryptographic method and are not required for any currently supported operating system. However, some legacy systems or improperly configured current systems may be affected. These could include all Windows 9x variants, Windows ME, Windows NT4 prior to Service Pack 4 and xNix machines running certain configurations of the SAMBA service.
Windows 9x, ME, NT4 (Pre-SP4)
Use a local account on a "pass-through" system to copy data to a domain machine.
- Create a local account on a domain machine that has a password less than 14 characters.
- Setup a job on the unsupported system to copy data to the domain machine using the local account.
Install the Active Directory add-on which gives the client workstation:
- Site Awareness
- ADSI scripting API
- DFS Awareness (proper)
- NTLM v2 Authentication
- AD WAB property page awareness
It does not give the client:
- Kerberos support
- GPO
- IPSec or L2TP (although there is a separate client for 98 and NT for this)
- Service Principal Name resolution.
More information about the add-on can be found on the Microsoft Support site, and downloaded from Microsoft at http://download.microsoft.com/.
The Division of IT will not support the add-on since operating systems that would require it are not on the Supported Software List.
xNix Running SAMBA
- Change the password of an account to greater than 14 characters.
- Attempt to authenticate to your SAMBA system.
- If you authenticate successfully, then the system is configured properly.
- If authentication is not successful then follow the ADS Security Mode instructions.
|
