Access Denied: Protection from L0phtCrack

Learn how to protect your Windows 2000 and Windows NT servers from LOphtCrack and similar tools.

ITPro Today

July 29, 2001

2 Min Read
ITPro Today logo in a gray background | ITPro Today

I expect to have Windows NT computers in the Windows 2000 Active Directory (AD) domain for some time to come. I've read that NT can support only NT LAN Manager (NTLM) authentication, which is easy to crack. Does a Win2K domain that includes some NT computers fall back to NTLM, and if so, can it still be sniffed and cracked? Can I switch to Kerberos authentication? Also, how do I use group policy to control my NT computers?

You're right—NT supports only the NTLM Challenge/Response authentication protocol. L0phtCrack (available at http://www.atstake.com/research/lc3/download.html) lets a malicious employee or attacker capture NTLM packets from the network when a user logs on and crack the packets to gain the user's password. A few months ago, Microsoft released Active Directory Client Extensions for NT Workstation 4.0 (available at http://www.microsoft.com/ntworkstation/downloads/other/adclient.asp), but this extension doesn't make NT Kerberos-aware.

The AD client simply extends site awareness to NT computers so that they can find the nearest domain controller (DC). The AD client also makes NT capable of using Win2K's Dfs and AD Windows Address Book and installs Active Directory Service Interfaces (ADSI).

In short, you can't make NT Kerberos-aware, but you can defeat L0phtCrack. To do this, you must implement NTLMv2, which both Win2K and NT 4.0 Service Pack 4 (SP4) and later support. To learn more about NTLMv2, see the Microsoft article "How to Disable LM Authentication on Windows NT" (http://support.microsoft.com/support/kb/articles/q147/7/06.asp).

Unfortunately, AD's group policy functionality doesn't apply to NT or Windows 9x computers, even with the AD client extensions installed. To take advantage of Win2K's new security features, such as centralized security configuration, IP Security (IPSec), Kerberos, and Encrypting File System (EFS), you must migrate all your computers to Win2K—workstations, servers, and DCs. You can, however, still use System Policies stored on the Netlogon share of Win2K DCs to control registry settings on your NT and Win9x computers.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like