[unisog] removing LM hashes from a large Active Directory

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Feb 26 22:36:37 GMT 2008


On Wed, 27 Feb 2008 11:20:05 +1300, Russell Fulton said:
> Some time ago we turned off LM authentication on our AD and we would  
> now like to get rid of the LM hashes from the directory.  Resetting  
> passwords will do this but we really don't want to force everyone to  
> change their passwords out of the normal schedule

Well, you *could* just wait 2-3 months and let the password changes do the
work for you. :)

I have to wonder exactly how predictable your user password changes are, and
what attack leverage a clever adversary can make.  "Oh, the password will be
changed between 9:03 and 9:07 Tuesday when Shirley gets the flame-gram
reminding her to change it when she tries to login"...  On the flip side, you
can use it as a factor in an intrusion monitoring system - if a password is
changed 71 days after the previous change, rather than betweek 88 and 90,
there's something obviously wrong with the userid or user... ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20080226/7b2f0207/attachment.bin 


More information about the unisog mailing list