Can samba mitigate the vulnerability of NT hashes?
Stefan (metze) Metzmacher
metze at samba.org
Thu Jan 10 01:57:37 MST 2013
> We use the following registry settings to improve NT-based systems (from a windows command prompt):
>
> reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v ntlmminclientsec /t REG_DWORD /d 0x20080000 /f
> reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v ntlmminserversec /t REG_DWORD /d 0x20080000 /f
> rem lmcompatibilitylevel=5 send/accept ntlmv2 only
> reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel /t REG_DWORD /d 5 /f
>
> These are used on XP, Windows7, WinServer 2003/2008.
> If the client isn't forced to use your protocol of choice it will try, and hence be vulnerable, when it tries others.
>
> On the samba 3.6.X PDC side, these complete the setup:
> lanman auth = no
> lm announce = no
"lm announce" has nothing to do with authentication...
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130110/efd9d40f/attachment.pgp>
More information about the samba-technical
mailing list