Several things:
Using DOS requires the presence of LM Hashes for password (because that is all that DOS understands). If you require passwords longer than 15 characters (or users use passwords longer than 15 characters), LM hashes are not generated. Second, there is a group policy to not generate LM hashes for shorter passwords that can be configured. If this group policy is set, DOS connections will still not be available because the DOS clients cannot generate the proper hash for the server. Third, leaving LM hashes leaves your network open to an easier brut force attack because the LM hashes are actually stored as 7-bit sub hashes, and rainbow tables can easily do a lookup on the hashes. You should download ophcrack (or have your security people do it), and the LM rainbow tables, and see how trivial it is to crack those passwords. In summary, these guys need to be dragged into the 21st century. The Windows Deployment kit and SCCM should provide all the tools they need to easily re-engineer their processes or create new ones. Sincerely, Jeffrey and Mary Jane Harris VIPCS _____ From: Christopher Bodnar [mailto:[email protected]] Sent: Monday, December 27, 2010 10:33 AM To: NT System Admin Issues Subject: OT: NTL M and bootable DOS CD Sorry, just venting: OK, so we implemented our new SCCM infrastructure about 9 months ago (all W2K8 servers). Almost done with the migration from our old SMS 2003 infrastructure (W2K3 R2 servers). I get a request from our desktop guys last week to create a few shares on the new SCCM servers to hold the workstation images. No problem. So I get a call from the desktop guys saying they can't access the new shares. I ask them how they are being accessed. They say from a bootable DOS CD. I thought them meant WinPE, so I tested that, and verified there are no issues. Go back to the desktop guys and they say, no it's really DOS 6.22 using NDIS 2.0. So I start looking into it and found that the old SMS servers have a GPO setting that allows NTLM connections, the rest of the network doesn't. I was not aware of this. Our currently policy is to allow NTLMv2 only, and refuse LM and NTLM. I ask them if they can move to WinPE. They tell me the engineering involved will be too much work. So now the question is..... do I put up a fight and go to our Security group and tell them I want to keep NTLMv2, and have the desktops guys re-engineer the process? My guess is that I'll be over ruled, and be forced to allow NTLM for the new SCCM servers. Uggghhhh......... Chris Bodnar, MCSE Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
