Disabling the LanMan Hash

I’m taking another look at whether or not it is worthwhile to disable the LANMAN hash. If you don’t know what that is, this is probably not the article for you.
The LANMAN hash is listed on the SANS/FBI Top 20 list. Microsoft says to disable it you dont need the backward compatibility.
Yet Jesper Johansson pretty much calls doing this security theatre. If someone were to compromise the password database, they aren’t going to be cracking the passwords in his opinion, instead they will be replaying the hash. But sometimes the password is needed such as going after EFS or if the password might be used on other non-windows accounts.
I need to think about this.

One Comment

  1. Disabling the LAN Manager Hash Value

    We finally got around to disabling the LAN Man Hash value on our domain controller. As Jesper Johansson and Steve Riley say in Protect your Windows Network, Ideally this setting will never have any direct impact on security because if…

Comments are closed.