Access Denied: Preventing Administrators from Using L0phtCrack

In Windows 2000, thanks to automatic activation of the Syskey utility, @stake's L0phtCrack is useless against password hashes in the SAM or Active Directory (AD) unless the user has Administrator access. To prevent administrators from using L0phtCrack, I added the NoLmHash registry value described in the Microsoft article "New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q299656). However, when I ran a test crack, L0phtCrack still cracked the passwords. What's wrong?

You're right about needing Administrator access to crack password hashes in Win2K. Win2K automatically activates Syskey during installation, which encrypts password hashes stored on disk in the SAM or in AD on domain controllers (DCs). However, an administrator can use L0phtCrack to dump password hashes from OS memory because password hashes in memory aren't encrypted. When you enable NoLmHash, Win2K doesn't automatically delete the LAN Manager hash for users. To get rid of the hash, you must reset each user's password.

Even after you reset passwords, however, administrators will be able to use L0phtCrack because Win2K stores two hashes for each account: the old, weak LAN Manager hash and a stronger Windows NT hash. L0phtCrack can use either hash but will take longer to crack accounts when only the NT hash is present.