Lanman hash shoe drops

Regular readers might recall last month we finally disabled storage of the lanman hash in our Windows domain. It was about time, too.
This week, I ran SAMInside and found that I couldn’t crack any passwords for accounts where only the ntlm hash was stored. Dictionary attacks and brute force take a lot longer than rainbow tables. That wasn’t the shoe that dropped though, that was expected and good.
I heard that our Accounts Payable check-cutting computer is running Windows 95. After we disabled the lanman hash storage, and they changed their password, suddenly these users weren’t able to log into the domain at this computer. (Windows 9x requires the AD services client to be able to log into the domain when lanman hash storage is disabled.) I of course thought that was pretty freaking hilarious. I have a feeling though that it will make it harder for us to get approval to push through other security tweaks.
I’m glad it broke the computer. Now we know that something critical is relying on Windows 95 and we can rectify the situation. Sure it caused some people to run around like chickens with their heads cut off, but in the long run things will be better off.