123 replies to this topic

[Whatacrock]

Sorry for that...BLAME ME....I renamed the apm as was having problems with the file.
Should be okay now...
We need a few more brave soles to test as currently not doing anymore work on it, have moved onto getting another release ready in the same layout.
Please report as usual, will correct or amend script as needed and reupload to my box

[DesertJerry]

Ran Text-XP.bat > had to run ViroMan's fix to remove extra apm file otherwise all is good.

Edited by DesertJerry, 22 August 2012 - 04:22 AM.

[Whatacrock]

You people that are testing are going to hate me as have added a new folder as suggested by Viroman post #17 in Suggestion for Removal from Win XP SP3 script.
Newer files and script uploaded to usual location..

Edited by Whatacrock, 22 August 2012 - 07:10 AM.

[DesertJerry]

XP Pro w/SP3 > WhatACrockTest-Autopatcher folder > downloaded/extracted XP_Test.7z > ran batch - all ok > Start AutoPatcher

Only difference between this and earlier postings was the new Microsoft Security Tweaks sub-folder: blue = Shared Doc; black = LMHash. I read the Item description and will have to admit I haven't a clue as to what it means: "Disable weak LMHash password creation...." Was this an option somewhere else?

OK - I ran AutoPatcher from my non-test folder and found the same LMHash item under Registry Tweaks - Security > item black there also - for the same reason - I have no idea as to its meaning.

Question: why is the term "Warn Status" attached to me?

Edited by DesertJerry, 22 August 2012 - 08:48 PM.

[ViroMan]

Windows NT through Vista have two versions of password storing... The original LM_Hash for all the older windows version and NT_Hash which showed up at the same time as guess what.... Windows NT.
NT_Hash is a greatly improved way of storing passwords. I won't go into details but, an LM_Hash can be broken quite a bit faster then NT_Hash not to mention the way LM_Hash is stored, the password can be extracted with the proper tools.

Quote

Support for the legacy LAN Manager protocol continued in later versions of Windows for backward compatibility, but was recommended by Microsoft to be turned off by administrators; as of Windows Vista, the protocol is disabled by default, but continues to be used by some non-Microsoft CIFS implementations.

I really cant stress how much I feel that people should be aware of this and use it. Not to mention... using special characters in your password. Not just !, $,or ? Im talking like

§,╚, Ä, █ Stuff like that... They REALLY REALLY make it harder to brute crack your passwords. Any password length over 9 is also much hard to break.

Edited by ViroMan, 22 August 2012 - 09:25 PM.

[DesertJerry]

If I read the explanation correctly - why give the user an option to disable the LMHash if that makes the password more secure - seems that would be the wrong thing to do.

[ViroMan]

NT hash is the secure one. LM hash is too simple for today's faster computers and the current tools.

Here is a table for an example that I plucked from the web.

Algorithm	 Size of password space		 Halflife length in seconds
LANMAN			   7.556E12			   1.459E6 (~8 days)
NTLM			   6.704E15			  3.045E9 (~95 years)
crypt()			   6.704E15			  5.888E9 (~185 years)
*FreeBSD MD5	   	   6.704E15			   7.491E11 (>11,000 years)

[DesertJerry]

I'm confused.

As I mentioned, the only option I had was to disable LMHash in XP Pro - no comment or listing for NT_Hash. If it's an NT item, as mentioned, then how would any user even know about it or how it functions?

So, given that info and not having a reason to know if I have NT_Hash or not why would I disable LMHash?

[ViroMan]

If LM_hash is disabled windows will default to NT hash. You don't have to do anything different after disabling LM hash except feel safer. I wish I could get you on yahoo chat or something so I can converse with you and give you all the information you need about this...

in case you want too... im at
viral_brain@yahoo.com

Edited by ViroMan, 24 August 2012 - 09:01 PM.

[DesertJerry]

ViroMan, on 24 August 2012 - 09:00 PM, said:

If LM_hash is disabled windows will default to NT hash. You don't have to do anything different after disabling LM hash except feel safer. I wish I could get you on yahoo chat or something so I can converse with you and give you all the information you need about this...

OK - explantion helps. So I would now ask - why not add that info to the AutoPatcher Item description so that the user would understand why disabling it protects their system?

Yahoo chat not anything I care to join or add to my places to go - I have no objections to e-mail or posting here with links to more extensive information if it you think it would add anything to your answer. (Also - where are you in California? and, again, why do I have a warn status bar?)

[DesertJerry]

@WhatACrock;

Is it safe to assume the XP x86 and x64 batch files we've been testing are finished and there is no longer any reason for me to maintain two copies of AutoPatcher for testing purposes?

[ViroMan]

Currently in Sacramento.
As for the warn status bar... everyone except moderators an up get that.
Your probably right about putting that info into the apm. Will ask what a crock to do that.

Yes there should be no further need of an extra copy of x64. I believe that to be a high quality script now.

Edited by ViroMan, 24 August 2012 - 09:48 PM.

[Whatacrock]

Changes noted and apm decription amended.
Files and script uploaded.

[DesertJerry]

ViroMan, on 24 August 2012 - 09:46 PM, said:

Yes there should be no further need of an extra copy of x64. I believe that to be a high quality script now.

Clarify - use of the WhatACrock batch files are no longer necessary as the x64 updates previously tested are now included as part of APUP1 selections but the x86 batch file information is not included?

[DesertJerry]

Whatacrock, on 25 August 2012 - 03:08 AM, said:

Changes noted and apm decription amended.
Files and script uploaded.

Meaning if I run APUP1 I will get an updated list with todays date?

[Whatacrock]

The apm for for Lm_hash has the desription amended to make it clearer for users....ie here is the amended description from the apm
[General]
Title=Disable LMHash for Passwords
Description=If LM_hash is disabled windows will default to NT hash. You don't have to do anything different after disabling LM hash except feel safer.For further information refer to http://en.wikipedia.org/wiki/NTLM

There are no other changes at this time

Edited by Whatacrock, 25 August 2012 - 04:28 AM.

[Whatacrock]

As far as I am concerned this script release is valid as long as there isn't any other complaints or errors.
The only items that I could see that may possibly be added are in the addons script but can be left as is for the time being.
Your thoughts people.

[DesertJerry]

Which addons: we have Microsoft Office Addons, Windows Addons, and Stand Alone (this could be considered an addon.

Edited by DesertJerry, 29 August 2012 - 04:34 AM.

[Whatacrock]

I mean't windows addons that are for Win XP ie DelMSJava,PowerToys for Windows XP,ActiveSync.

Only a suggestion on my part but would leave these in their current location until otherwise advised

[Whatacrock]

Script has been updated and now dated 20120830.
#
Change Log -KB909520; -KB892313; -KB902344; -JournalViewer