Password Storage in Windows 2003

Discussion:

(too old to reply)

Jay

2007-02-14 15:38:32 UTC

hi there,

I was hoping someone could clarify a few questions for me regarding
Windows 2003, NTLMv2, and Kerberos.

1) What hash is used in Windows2003 Server to store passwords in the
SAM file?

My understanding is that each password will be stored by default using both a LM Hash (for older compatibility) and using a MD5 hash for NTLMv2. Is this correct?

2) Win2003 uses Kerberos as the default authentication protocol. Now
does using Kerberos store the password differently than the answer
above? or is Kerberos only the authentication protocol and it uses the
NTLMv2 password hash to authenticate a user before it kicks in to do
authentication between servers.

3) Does Kerberos completely replace NTLMv2?

Thank you

DaveMo

2007-02-14 16:25:00 UTC

Permalink

Post by Jay
hi there,
I was hoping someone could clarify a few questions for me regarding
Windows 2003, NTLMv2, and Kerberos.
1) What hash is used in Windows2003 Server to store passwords in the
SAM file?

My understanding is that each password will be stored by default using both a LM Hash (for older compatibility) and using a MD5 hash for NTLMv2. Is this correct?

2) Win2003 uses Kerberos as the default authentication protocol. Now
does using Kerberos store the password differently than the answer
above? or is Kerberos only the authentication protocol and it uses the
NTLMv2 password hash to authenticate a user before it kicks in to do
authentication between servers.
3) Does Kerberos completely replace NTLMv2?
Thank you

Hi Jay,

This article should answer most of your questions: http://
www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx

I'm not sure exactly what you mean by question #3. Kerberos will be
used by default, as you say, but there are some situations where NTLM
must and will be used. The situations that come to mind include:

- Untrusted domains and non-joined machines
- When authenticating to applications using service accounts with
improperly configured SPNs. This happens frequently with IIS
- Authentication to very down-level systems such as Win9x

HTH.

Dave

Joe Richards [MVP]

2007-02-14 21:30:49 UTC

Permalink

The SAM DB is used on standalone and member servers. Active Directory is
used on Domain Controllers which uses an ESE DB.

The hashing algorithms are discussed in several documents you can google
for. It shouldn't really matter a whole lot since the hashes are not
generally readily available unless you can insert code into the LSASS
process.

Kerberos does not replace NTLM. It is the default auth used by Windows
2K or better clients against an AD Domain. It isn't used at all if
authenticating to a standalone or member server local ID. Also if there
are issues, a machine can downgrade its auth to NTLM from kerb. This
always happens, for instance, when using IP addresses to connect to
resources.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

My understanding is that each password will be stored by default using both a LM Hash (for older compatibility) and using a MD5 hash for NTLMv2. Is this correct?

2) Win2003 uses Kerberos as the default authentication protocol. Now
does using Kerberos store the password differently than the answer
above? or is Kerberos only the authentication protocol and it uses the
NTLMv2 password hash to authenticate a user before it kicks in to do
authentication between servers.
3) Does Kerberos completely replace NTLMv2?
Thank you

Jesper

2007-02-15 03:06:08 UTC

Permalink

Post by Joe Richards [MVP]
The SAM DB is used on standalone and member servers. Active Directory is
used on Domain Controllers which uses an ESE DB.

DCs have a SAM database too. It is used for directory services restore mode.

Post by Joe Richards [MVP]
The hashing algorithms are discussed in several documents you can google
for.

See DaveMo's post for one.

Post by Joe Richards [MVP]
Kerberos does not replace NTLM. It is the default auth used by Windows
2K or better clients against an AD Domain.

If they are accessing the resources using an FQDN or NetBIOS name that can
be converted to an FQDN. If they are accessing the resource using an IP
address the system will use LM (2000 and XP), some variant of NTLMv1 (2000,
XP and Server 2003), or NTLMv2 (Vista) if they are left in their default
config.

Post by Joe Richards [MVP]

Post by Jay

My understanding is that each password will be stored by default using both a LM Hash (for older compatibility) and using a MD5 hash for NTLMv2. Is this correct?

Windows NT 4.0 through Windows Server 2003 by default store both LM and MD4
hashes (note, not MD5). Windows Vista stores only the MD4 hash.

Post by Joe Richards [MVP]

Post by Jay
2) Win2003 uses Kerberos as the default authentication protocol.

See above for caveats.

Post by Joe Richards [MVP]

Post by Jay
Now
does using Kerberos store the password differently than the answer
above?

No. Kerberos uses the MD4 hash.

Post by Joe Richards [MVP]

Post by Jay
or is Kerberos only the authentication protocol and it uses the
NTLMv2 password hash

There is no such thing as an NTLMv2 password hash.

Post by Joe Richards [MVP]

Post by Jay
3) Does Kerberos completely replace NTLMv2?

As per above, no.

See these additional resources for more info:
http://www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx
http://www.protectyourwindowsnetwork.com
http://www.syngress.com/catalog/?pid=3420

Joe Richards [MVP]

2007-02-15 19:19:36 UTC

Permalink

Post by Jesper
DCs have a SAM database too. It is used for directory services

restore mode.

Yes good point. However this is only valid during DRM which isn't the
natural state for the DCs. :)

Post by Jesper
If they are accessing the resources using an FQDN or NetBIOS name that can
be converted to an FQDN.

Hey Jesper I don't think the conversion to FQDN is required for kerb. I
believe the system just needs to be able to build a valid SPN that
uniquely maps to the security principal. Since you have both NetBIOS
based SPNs and FQDN based SPNs either should connect through kerb fine.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Post by Jesper

Post by Joe Richards [MVP]
The SAM DB is used on standalone and member servers. Active Directory is
used on Domain Controllers which uses an ESE DB.

DCs have a SAM database too. It is used for directory services restore mode.

Post by Joe Richards [MVP]
The hashing algorithms are discussed in several documents you can google
for.

See DaveMo's post for one.

Post by Joe Richards [MVP]
Kerberos does not replace NTLM. It is the default auth used by Windows
2K or better clients against an AD Domain.

Post by Joe Richards [MVP]

Post by Jay

My understanding is that each password will be stored by default using both a LM Hash (for older compatibility) and using a MD5 hash for NTLMv2. Is this correct?

Windows NT 4.0 through Windows Server 2003 by default store both LM and MD4
hashes (note, not MD5). Windows Vista stores only the MD4 hash.

Post by Joe Richards [MVP]

Post by Jay
2) Win2003 uses Kerberos as the default authentication protocol.

See above for caveats.

Post by Joe Richards [MVP]

Post by Jay
Now
does using Kerberos store the password differently than the answer
above?

No. Kerberos uses the MD4 hash.

Post by Joe Richards [MVP]

Post by Jay
or is Kerberos only the authentication protocol and it uses the
NTLMv2 password hash

There is no such thing as an NTLMv2 password hash.

Post by Joe Richards [MVP]

Post by Jay
3) Does Kerberos completely replace NTLMv2?

As per above, no.
http://www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx
http://www.protectyourwindowsnetwork.com
http://www.syngress.com/catalog/?pid=3420

Jesper

2007-02-15 19:46:31 UTC

Permalink

Post by Joe Richards [MVP]
Yes good point. However this is only valid during DRM which isn't the
natural state for the DCs. :)

Depends on how good you are at managing your network! :-)

Post by Joe Richards [MVP]

Post by Jesper
If they are accessing the resources using an FQDN or NetBIOS name that can
be converted to an FQDN.

True. You just can't convert an IP address to an SPN. Strictly speaking I
suppose it would be possible, but MS just did not build that functionality.

Harald Ums (2179630)

2007-03-10 08:07:28 UTC

Permalink

Post by Jesper
True. You just can't convert an IP address to an SPN. Strictly speaking I
suppose it would be possible, but MS just did not build that
functionality.

Would that imply you would **trust** the dns to correctly resolve the name?

I do not think there is a secure way to convert a ip to a spn ...

Jesper

2007-03-10 16:45:03 UTC

Permalink

Post by Harald Ums (2179630)

Post by Jesper
True. You just can't convert an IP address to an SPN. Strictly speaking I
suppose it would be possible, but MS just did not build that
functionality.

Would that imply you would **trust** the dns to correctly resolve the name?
I do not think there is a secure way to convert a ip to a spn ...

Yes, it does imply that you trust your DNS server. If you only permit secure
updates and otherwise manage your network properly you have a good chance of
that. Otherwise, it is not at all clear that you can.

Continue reading on narkive:

Search results for 'Password Storage in Windows 2003' (Questions and Answers)

replies

how can I configure student's storage on my college Lab server?

started 2010-09-15 04:37:14 UTC

computer networking

replies

Computer password help!!!!!?

started 2007-05-23 09:25:29 UTC

security

replies

I got my computer out of storage and cannot remember my password, is there a way to get into it anyways?