Re: LM hashes in a hot-desking environment

[3APA3A <3APA3A@xxxxxxxxxxxxxxxx>]

Dear feedb4ck@xxxxxxxx,

--Thursday, May 25, 2006, 5:46:43 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:

fzo> Although it is a well known fact that Windows desktops and servers still
fzo> use LM Hashes and cache the last ten userids and passwords locally, just
fzo> in-case an Active Directory, Domain, or NDS tree are not available, has
fzo> anyone thought about the consequences of this issue in a hot-desking, or
fzo> flexible working environment?

Windows  doesn't  cache  passwords.  If I remember correctly, the cached
value  is  actually  MD5  from  NT  key and can not be used directly. LM
hashes     can     be     disabled    through    group    policy,    see
http://support.microsoft.com/?kbid=299656.   Local   SAM  doesn't  store
domain accounts.

fzo> Now, I know what everyone is saying, wait a minute, for PWDUMP to work you
fzo> need to be administrator to the local machine.   But think again, how
fzo> often is this the case?  Many companys only look to restrict network
fzo> access - as restricting local access may cause issues with applications
fzo> which need to access the local drive.

If  your users on shared hosts work with local administrators privileges
- you have no security at all. Forget about about PWDUMP, it's too hard.
Think   about   trojans  and  keyloggers  user  can  install  to  obtain
credentials  of  different  user. Even more: if you have shared computer
and  you  have  no  physical  security,  everyone  can  install hardware
keylogger.

Your problem is you have strange approach to security. Good approach is:

What should I protect?

-- 
~/ZARAZA
http://www.security.nnov.ru/