If you have Win9x boxes on a network you are trying to secure then you have
bigger problems than those in NT and the insecurity of NTLM hashes...
I figured this was in reference to firewalls, not file servers in general -
in which case the whole Win9x thing just makes high level security just
about irrelevant.
> -----Original Message-----
> From: Adam Shostack [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 14 June 1999 11:02 pm
> To: John Wiltshire
> Cc: 'spiff'; Firewalls (E-mail)
> Subject: Re: Why not NT?
>
>
> This is true, and mostly irrelevant, because there are almost no
> networks without Win9x on them, and NT can't be configured to use only
> NTLM hashes without stopping access from Win9x. This is because MS
> declines to release a patch to those OSs to use a reasonable
> authentication method.
>
> Adam
>
>
> On Thu, Jun 10, 1999 at 03:29:53PM +1000, John Wiltshire wrote:
> | >
http://www.microsoft.com/security/downloads/ITSEC_NT4.0_Installation.EXE
| > "What the user does not see are internal workings, such as the
| > system-level encryption of their password so that it is never
| > passed over
| > the wire in clear text."
| >
| > What they would see is the LanMan hash, the entire Keyspace
| > of which can
| > be brute forced on an UltraSparc in a few hours with l0pht Crack. (see
| > http://www.l0pht.com )
|
| FUD. NT can easily be configured to never send the LanMan hash. In fact,
| in the configuration we are talking about, you disable the "Server" and
| "Workstation" services anyway so no one can get an SMB connection or any
| hash at all from the machine.
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
