none
What encryption used for password in Active Directory 2003 and How we can check and View

    Question

  • Hi All,

    I want to know what encryption method used to stored password in Active Directory 2003 and how we can view this settings.

    As I searched in different blogs, it stored in two different formats--LM hash and NT hash. So want to check which is the default

    encryption method in  AD and how we can view this policy/settings in Somewhere in AD Server.

    Thanks in Advance.

    Mukesh


    Mukesh Bisht

    Saturday, November 15, 2014 8:27 AM

Answers

  • Hi

    This is how the data is stored in the Active Directory database.

    1. LM Password is hashed using NTOWF, Encrypted with the user's RID using SystemFunction025, Encrypted with PEK (Password Encryption Key), Stored in the unicodePwd attribute

    2. NTLM Password is hashed using NTOWF, Encrypted with the user's RID using SystemFunction025, Encrypted with PEK (Password Encryption Key), Stored in the dbcsPwd attribute.

    Note: That the PEK (Password Encryption Key) is generated by the SYSKEY of each DC, and the key is therefor unique on each DC/Database. The PEK it self is maintained in a none-readable, none-replicated attribute. (peekList: http://msdn.microsoft.com/en-us/library/cc221063.aspx)

    Other password hash formats are stored as "KeyPackages" in the supplementalCredentials attribute: http://msdn.microsoft.com/en-us/library/cc245674.aspx

    The supplementalCredentials attribute is also protected by the local PEK.

    Bonus: ADAM/ADLDS dose not drive it's PEK from the SYSKEY as ADDS. ADAM/ADLDS dose not apply the additional RID Encryption using SystemFunction025 for unicodePwd and dbcsPwd.

    Encryption types used in each step

    1. PEK - RC4 (The SYSKEY)
    2. unicodePwd/dbcsPwd - RC4 (PEK)
    3. RID Encryption - DES (RID)

    You have no ability to change the encryptions used above they are totally internal to the DBLayer of Active Directory - The only thing you can control is to not store new passwords in LM format (this is default since Windows Server 2008)

    Dose this answer your question?


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Edited by Christoffer Andersson Wednesday, November 19, 2014 2:02 AM Added encryption types
    • Proposed as answer by bshwjt Wednesday, November 19, 2014 2:18 AM
    • Marked as answer by Vivian_WangModerator Tuesday, December 02, 2014 6:12 AM
    Wednesday, November 19, 2014 1:55 AM

All replies

    • Proposed as answer by bshwjt Saturday, November 15, 2014 11:58 AM
    Saturday, November 15, 2014 9:16 AM
  • how can get the user password details that what password has set by user in Active Directory 2003 through any script or any tool?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c10be324-1cc2-41d5-8743-76216b91dae9/how-can-get-the-user-password-details-that-what-password-has-set-by-user-in-active-directory-2003?forum=winserverDS

    In addition,During the authentication password never travel through wire . User logon ID, Time stamp is encrypted by user password and after getting the TGT ; TGT is stored in System memory.

    You can see that using klist. Kerberos useage RC4, DES ,AES encryption.

    Windows 2003 does not support the AES & Windows 2012 does not support the RC4.

    Windows 2003 support the RC4 & Windows 2012 support the AES.

    Entire process create three temporary passwords for 10 hrs.

    1 temporary password is used for authencation

    1 temporary password is used for TGT.

    1. temporary password is used for Service.

    See this as well.



    Regards,

    Biswajit

    MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011

    Blog:   Script Gallary:   LinkedIn:   

    Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..




    • Edited by bshwjt Saturday, November 15, 2014 12:01 PM
    Saturday, November 15, 2014 11:53 AM
  • Thanks for the information Michael and Biswajit,

    Really Appreciated.

    but I want to check that which encryption method we are using in AD 2003 to store the user's password and where we can find this settings.

    Thanks

    Mukesh


    Mukesh Bisht

    Monday, November 17, 2014 5:42 AM
  • Thanks for the information Michael and Biswajit,

    Really Appreciated.

    but I want to check that which encryption method we are using in AD 2003 to store the user's password and where we can find this settings.

    Thanks

    Mukesh


    Mukesh Bisht

    Per the link I provided "...Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory." This would seem indicate that the NTLM Hash is stored in Active Directory.  As Microsoft restricts programmatic access of this property to Set and Compare operations, and the hashing algorithm is designed to be mathematically unfeasible to crack.  This makes it so that if you possess the hash you can authenticate as the user (known as pass-the-hash attack).  Since Windows 2000, I believe Active Directory uses Kerberos to pass the hash to the Directory Server to compare.  Meaning your authentication is as weak as your Kerberos encryption level, since it is the hash we want to protect.  Below is a great link outlining the vulnerability, and how best to combat these types of attacks (see Vendor Statement at the bottom of the article).

    http://www.aorato.com/blog/active-directory-vulnerability-disclosure-weak-encryption-enables-attacker-change-victims-password-without-logged/

    Monday, November 17, 2014 8:28 AM
  • Hi

    This is how the data is stored in the Active Directory database.

    1. LM Password is hashed using NTOWF, Encrypted with the user's RID using SystemFunction025, Encrypted with PEK (Password Encryption Key), Stored in the unicodePwd attribute

    2. NTLM Password is hashed using NTOWF, Encrypted with the user's RID using SystemFunction025, Encrypted with PEK (Password Encryption Key), Stored in the dbcsPwd attribute.

    Note: That the PEK (Password Encryption Key) is generated by the SYSKEY of each DC, and the key is therefor unique on each DC/Database. The PEK it self is maintained in a none-readable, none-replicated attribute. (peekList: http://msdn.microsoft.com/en-us/library/cc221063.aspx)

    Other password hash formats are stored as "KeyPackages" in the supplementalCredentials attribute: http://msdn.microsoft.com/en-us/library/cc245674.aspx

    The supplementalCredentials attribute is also protected by the local PEK.

    Bonus: ADAM/ADLDS dose not drive it's PEK from the SYSKEY as ADDS. ADAM/ADLDS dose not apply the additional RID Encryption using SystemFunction025 for unicodePwd and dbcsPwd.

    Encryption types used in each step

    1. PEK - RC4 (The SYSKEY)
    2. unicodePwd/dbcsPwd - RC4 (PEK)
    3. RID Encryption - DES (RID)

    You have no ability to change the encryptions used above they are totally internal to the DBLayer of Active Directory - The only thing you can control is to not store new passwords in LM format (this is default since Windows Server 2008)

    Dose this answer your question?


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Edited by Christoffer Andersson Wednesday, November 19, 2014 2:02 AM Added encryption types
    • Proposed as answer by bshwjt Wednesday, November 19, 2014 2:18 AM
    • Marked as answer by Vivian_WangModerator Tuesday, December 02, 2014 6:12 AM
    Wednesday, November 19, 2014 1:55 AM
  • Hi,

    I just want to confirm what is the current situation.

    Please feel free to let us know if you need further assistance.

    Regards.


    Vivian Wang

    Wednesday, November 26, 2014 2:15 AM
    Moderator