________
Overview
Continuing efforts to make the Berkeley Lab computing environment
more secure, the Computer Protection Program (CPP) will be
eliminating the storage of the LAN Manager (LM) hash at Berkeley
Lab.
Background
Windows passwords are stored in two separate one-way hashes
- a LM hash required by legacy clients; and a NT hash. Your
password is stored in the LM hash using the following algorithm:
- The password is converted to upper case characters
- The password is truncated to 14 characters if longer than
14 characters or padded with spaces if shorter than 14 characters
- The password is then split into two 7-character halves
and two 16 byte hashes are generated using the DES algorithm
- Finally the two 16 byte hashes are concatenated to form
the 32-byte hash.
Due to this weak algorithm, the problem of cracking a LM
hashed password is reduced to cracking one or possibly two
7 character passwords without regard to upper or lower case.
A rather small keyspace by modern standards. Tools have now
become available, such as RainbowCrack,
that make cracking the password stored as a LM hash a trivial
task. To top it off, Microsoft systems store the LM hash by
default. The NT hash on the other hand is considered secure.
The goal of this effort is to eliminate the storage of LM
hash at Berkeley Lab. This process needs to be undertaken
on both clients and servers. Servers with many user accounts,
such as domain controllers, pose an especially high risk due
to the number of passwords that can be harvested.
Benefits
By removing the LM hash from Berkeley Lab, we reduce the
risk of an attacker harvesting user names and passwords from
Windows systems. An attacker that successfully harvested LM
hash values would have an easy time converting these hashes
into the usable passwords. Once armed with these passwords,
an attacker could successfully attack many other Windows systems
as the lab by simply authenticating to them with the stolen
credentials. This attack would propagate as the attacker repeated
stealing credentials on the newly compromised systems and
iterated the process. Removing the LM hash from all Windows
systems stops this attack. Windows passwords will only be
stored in the NT hash, which is much more difficult to crack.
How
To Disable LM Hash Storage
Removal of the LM hash has two steps, setting the policy
then changing all the passwords.
The first step, setting the policy, involves enabling the
security policy setting "Network security: Do not store
LAN Manager hash value on next password change". Unfortunately,
as the policy states, changing this security policy setting
does not immediately remove the LM hash, instead a password
change is needed to remove the LM hash. Therefore, the second
step of the process is to require all users to change their
password. This new password will not be stored as an LM hash,
thus removing the ability to trivially crack the password
from the system.
There are three methods for making this policy setting on
a system.
- The first method is to manually change the policy using
the 'Local Security Policy' tool. This tool can be reached
by Start => Programs => Administrative Tools =>
Local Security Policy. Once this tool is active, navigate
to Security Settings => Local Policies => Security
Options and located the policy"Network security: Do
not store LAN Manager hash value on next password change"
This policy should have a setting of 'Enabled' as shown
in the graphic below.
- The second method is to use a security template to apply
this setting. The IT division and CPP have developed a security
template that sets many important security settings, one
of which is to disable LM hash storage. CPP recommends (and
will soon require) the use of the LBNL security template.
It is available here: IT-SecureBaseline1
Security Template. In order to apply this template,
complete the following steps.
- Create a temporary folder to work in, this example
we will use c:\options, and save the security template
to this temporary location.
- Open a command prompt by Start => Run => type
'cmd.exe' and press 'Enter'
- Change the command prompt to your temporary folder
that contains the template, for example 'cd c:\options'
and type the following command, assuming you kept the
default name of the template.
secedit /configure /db temp /cfg IT-SecureBaseline1.inf
- If the command completes successfully, you should
see a windows will dialog similar to the below. You
can then close down the command prompt.
- The final method for installing the security template
involves deployment via AD and GPO. This is the preferred
method for ensure large groups of systems have the security
template installed. The method will not be covered in detail
here.
LM
Hash Cannot be Disabled with NT4
Microsoft has a mechanism available for turning off the
creation of the LM hashes altogether, but only in Windows
2000, 2003 and XP. This means that NT4 cannot be secured agains
this atack. This along with NT 4 being end of life by Microsoft
and therefore being unable to pach, are two excellent reasons
to migrate off of NT4.
Possible
Impacts
Disabling the LM hash on a system will prevent legacy clients,
clients that only know how to authenticate via LM, from authenticating.
Legacy clients in this context is defined as Windows 95, Windows
98, Windows ME and Samba versions less that 3.0. Two examples
of common impacts that are expected are given below.
- You have a Windows 95 system that logs into the AD. That
system will no longer be able to login to the AD.
- You have a Samba box that authenticates users via the
AD. Unless you upgrade to Samba 3.0, authentication will
fail.
In order to avoid these impacts, all clients must meet the
requirements for using NTLM, as discussed in the next section.
Client
Requirements for NTLM
In order for Windows 95/98/ME clients to authenticate to
the Active Directory, they must have the Directory Services
Client (DSClient) installed and NTLMv2 enabled. The DS client
is available here: DSClient.exe.
A reg file to enable NTLMv2 on Windows 98 is located here:
reg file
In order for Windows NT to authenticate using NTLM hash,
you must have NT4 Service Pack 6a installed. NT 4 is end of
life, so contact CPP if you are running NT4.
If order for Samba to use NTLM authenticate, it must be version
3.0 or above.
Schedule
for Securing Servers
The following is the anticipated schedule for removing LM
hash from institutional servers by November 14, 2005.
- Monday - October 31, 2005
LM hash no longer stored on the LBNL Active Directory when
users next change their passwords.
- Tuesday - November 8, 2005
CPP will identify and inform all servers with a significant
number of users about this requirement (e.g. NT4 domains
or work groups servers)
CPP will send notification to the known legacy clients about
possible impact
CPP will send nonfiction to CPIC about possible impact (in
the event legacy clients exist that can not be identified)
CPP will send notification to OU Admin who have users in
their OU with "Password never expires" set. This
setting violates RPM requirements and undone before November
14 or the account will be disabled.
- Monday, November 14, 2005
Existing LM hash values will be removed from the LBNL Active
Directory
- Tuesday, November 15, 2005
Mandatory password changes will begin in the LBNL Active
Directory and other servers to ensure any compromised passwords
are rendered useless.
Schedule
for Securing Workstations
In the future, CPP will be requiring workstations to disable
LM hash and apply the security template. More information
about this process and a schedule will become available soon.
References
How to prevent Windows from storing a LAN manager hash of
your password in Active Directory and local SAM databases
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656&sd=tech
Restricting LAN Manager Authentication
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/b4001049-4dec-4f5b-a249-0f4dfd22c732.mspx
|
