>The Kerberos stuff is only a replacement for the venerable NTLM and even
>more venerable Lanmanager. It is my impression that the SAM was still
>stored in the same hashing manner in Win2K unless you use the strong
encryption
>option for the entire SAM (which is a pain).
L0phtcrack will work on any Windows2000 system that has been upgraded from a
pervious version of NT, but will not work on a clean install version of
Windows2000 that uses Kerberos. If you upgrade an existing system from NT to
Windows2000 you inherit all the vulnerabilities of NT that were on the
previous version. The reason for this is because of mixed mode you have to
support all the old NT systems, hence have all the same vulnerabilities. I
have talked a couple of times with Microsoft's Engineers about this and they
acknowledged that the only way to take full advantage of the security
features of the new Windows2000 OS is to install every system clean and not
upgrade an existing NT system.
Unfortunately I have not been able to find a single company that is doing
this and every single one seems to be upgrading their old systems. To be
rushing to take advantage of some of the features of the new OS companies
are upgrading existing systems, but don't realize the security ramifications
behind these upgrades. Therefore, to save cost, they are upgrading existing
systems and throwing away the security benefits from it. This is also one of
the reasons that if you do a cost analysis of upgrading all systems
Windows2000 and building every system clean with the new OS you will find
the cost staggering.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
