In this article, the topic of LAN Manager will be addressed, which has been the subject of interest and debate in various areas. LAN Manager is a topic of great relevance today, as it has a significant impact on society, culture and daily life. Throughout history, LAN Manager has played a fundamental role in the evolution of different disciplines and has marked important milestones in human development. Therefore, it is crucial to delve into its most relevant aspects, analyze its influence in different contexts and explore the future perspectives that derive from its study. In this sense, this article seeks to provide a comprehensive and updated vision of LAN Manager, to contribute to the understanding and reflection on its importance in the contemporary world.
Developer | Microsoft, 3Com |
---|---|
OS family | OS/2 |
Working state | Discontinued |
Source model | Closed source |
Initial release | 1987 |
Final release | 2.2a / 1994 |
Marketing target | Local area networking |
Update method | Re-installation |
Package manager | None |
Platforms | x86 |
License | Proprietary |
Preceded by | MS-Net, Xenix-NET, 3+Share |
Succeeded by | Microsoft Windows NT 3.1 |
LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.
The LAN Manager OS/2 operating system was co-developed by IBM and Microsoft, using the Server Message Block (SMB) protocol. It originally used SMB atop either the NetBIOS Frames (NBF) protocol or a specialized version of the Xerox Network Systems (XNS) protocol. These legacy protocols had been inherited from previous products such as MS-Net for MS-DOS, Xenix-NET for MS-Xenix, and the afore-mentioned 3+Share. A version of LAN Manager for Unix-based systems called LAN Manager/X was also available. LAN Manager/X was the basis for Digital Equipment Corporation's Pathworks product for OpenVMS, Ultrix and Tru64.[1]
In 1990, Microsoft announced LAN Manager 2.0 with a host of improvements, including support for TCP/IP as a transport protocol for SMB, using NetBIOS over TCP/IP (NBT). The last version of LAN Manager, 2.2, which included an MS-OS/2 1.31 base operating system, remained Microsoft's strategic server system until the release of Windows NT Advanced Server in 1993.[2]
Many vendors shipped licensed versions, including:
The LM hash is computed as follows:[3][4]
1010100
becomes 10101000
). This generates the 64 bits needed for a DES key. (A DES key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. The parity bits added in this step are later discarded.)KGS!@#$%
”,[Notes 2] resulting in two 8-byte ciphertext values. The DES CipherMode should be set to ECB, and PaddingMode should be set to NONE
.LAN Manager authentication uses a particularly weak method of hashing a user's password known as the LM hash algorithm, stemming from the mid-1980s when viruses transmitted by floppy disks were the major concern.[7] Although it is based on DES, a well-studied block cipher, the LM hash has several weaknesses in its design.[8] This makes such hashes crackable in a matter of seconds using rainbow tables, or in a few minutes using brute force. Starting with Windows NT, it was replaced by NTLM, which is still vulnerable to rainbow tables, and brute force attacks unless long, unpredictable passwords are used, see password cracking. NTLM is used for logon with local accounts except on domain controllers since Windows Vista and later versions no longer maintain the LM hash by default.[7] Kerberos is used in Active Directory Environments.
The major weaknesses of LAN Manager authentication protocol are:[9]
To address the security weaknesses inherent in LM encryption and authentication schemes, Microsoft introduced the NTLMv1 protocol in 1993 with Windows NT 3.1. For hashing, NTLM uses Unicode support, replacing LMhash=DESeach(DOSCHARSET(UPPERCASE(password)), "KGS!@#$%")
by NThash=MD4(UTF-16-LE(password))
, which does not require any padding or truncating that would simplify the key. On the negative side, the same DES algorithm was used with only 56-bit encryption for the subsequent authentication steps, and there is still no salting. Furthermore, Windows machines were for many years configured by default to send and accept responses derived from both the LM hash and the NTLM hash, so the use of the NTLM hash provided no additional security while the weaker hash was still present. It also took time for artificial restrictions on password length in management tools such as User Manager to be lifted.
While LAN Manager is considered obsolete and current Windows operating systems use the stronger NTLMv2 or Kerberos authentication methods, Windows systems before Windows Vista/Windows Server 2008 enabled the LAN Manager hash by default for backward compatibility with legacy LAN Manager and Windows ME or earlier clients, or legacy NetBIOS-enabled applications. It has for many years been considered good security practice to disable the compromised LM and NTLMv1 authentication protocols where they aren't needed.[11] Starting with Windows Vista and Windows Server 2008, Microsoft disabled the LM hash by default; the feature can be enabled for local accounts via a security policy setting, and for Active Directory accounts by applying the same setting via domain Group Policy. The same method can be used to turn the feature off in Windows 2000, Windows XP and NT.[11] Users can also prevent a LM hash from being generated for their own password by using a password at least fifteen characters in length.[6]—NTLM hashes have in turn become vulnerable in recent years to various attacks that effectively make them as weak today as LanMan hashes were back in 1998.[citation needed]
Many legacy third party SMB implementations have taken considerable time to add support for the stronger protocols that Microsoft has created to replace LM hashing because the open source communities supporting these libraries first had to reverse engineer the newer protocols—Samba took 5 years to add NTLMv2 support, while JCIFS took 10 years.
Product | NTLMv1 support | NTLMv2 support |
---|---|---|
Windows NT 3.1 | RTM (1993) | Not supported |
Windows NT 3.5 | RTM (1994) | Not supported |
Windows NT 3.51 | RTM (1995) | Not supported |
Windows NT 4 | RTM (1996) | Service Pack 4[12] (25 October 1998) |
Windows 95 | Not supported | Directory services client (released with Windows 2000 Server, 17 February 2000) |
Windows 98 | RTM | Directory services client (released with Windows 2000 Server, 17 February 2000) |
Windows 2000 | RTM (17 February 2000) | RTM (17 February 2000) |
Windows Me | RTM (14 September 2000) | Directory services client (released with Windows 2000 Server, 17 February 2000) |
Samba | ? | Version 3.0[13] (24 September 2003) |
JCIFS | Not supported | Version 1.3.0 (25 October 2008)[14] |
IBM AIX (SMBFS) | 5.3 (2004)[15] | Not supported as of v7.1[16] |
Poor patching regimes subsequent to software releases supporting the feature becoming available have contributed to some organisations continuing to use LM Hashing in their environments, even though the protocol is easily disabled in Active Directory itself.
Lastly, prior to the release of Windows Vista, many unattended build processes still used a DOS boot disk (instead of Windows PE) to start the installation of Windows using WINNT.EXE, something that requires LM hashing to be enabled for the legacy LAN Manager networking stack to work.
Although Windows Vista has not been released yet, it is worthwhile to point out some changes in this operating system related to these protocols. The most important change is that the LM protocol can no longer be used for inbound authentication—where Windows Vista is acting as the authentication server.