This is not really a firewalls issue, but does have some bearing on it. (Read on :-) Let's speculate. Something I've been wondering is whether NT DC's that are configured to NOT use old-style LM password hashes still _store_ the 8-byte hashes? Because in that case, password crackers can still glean lots of info from the old, bad 8-byte hash. BUT, that's not the main point here. What I was _really_ thinking about is situations where you have a number of old-style Lan Manager clients (win3.11, win95, etc..) that need to log on to your DC. Maybe you don't want your PDC to allow old-style LM logons for security reasons - maybe you have a HUGE lan with lots of potential security holes, that you want to minimize - but need to be able to give just a few W95 clients this ability. So you tell the PDC not to allow old-style hashes. Would it be possible to set up a BDC on a fairly isolated piece of LAN (separated by a firesieve?) together with the Win95 machines, and tell ONLY that BDC that old-style hashes are allowed? The BDC would of course have to talk to the PDC in order to get its user database, which might constitute a security problem should the W95 clients be compromised, but we're talking about minimizing the risk here, right? I have the distinct notion I'll have to test this in a live scenario to find the answer, or try to make friends with an MS developer (umm), but I'll try my chances here first. Thanks in advance! /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
