Lieberman Software
PRIVILEGED IDENTITY MANAGEMENT NEWS LINE
 
Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on YouTube                                                                                                                                                                May 2012

Top of Mind

See Us At TechEd 2012 June 11-14 in Orlando

Philip  Lieberman, President & CEO
Lieberman Software

If you are attending Microsoft TechEd in Orlando this year stop by our booth 813 to see a few surprises. This year we are in a much larger 20x20 booth with a theater area and four demo stations. We will be demonstrating both our IT administrator tools as well as the latest version of our privileged identity management solution.

From a technology point of view we will also be showing how we have integrated business intelligence with privileged identity management and configuration management to provide you with unprecedented transparency into identity use and misuse.

As a special surprise, we will also show the new multi-lingual capabilities of our 4.83.4 ERPM web interface. You will see ERPM web natively working in German, French, Spanish, Portuguese, Hungarian, Arabic, Chinese (simple and classic) and more. We will also introduce you to our new any-language-in-a- day technology.

Stop by and win great prizes! We will be giving a away a Parrot AR Drone 2.0 Quadricopter every day of the show. We will also be giving away $50 Amex gift cards every 30 minutes at the end of each technical presentation.

Continuing From Last Month… The Long Story of: Server-to-Server Password Synchronizer

Have you ever needed to keep a specific account and its password in synch between un-trusted Windows forests, domains and servers? What about keeping accounts and their passwords in sync between workstations and servers in a workgroup as well as between a domain and a workgroup?

We solved the problem of transparent password synchronization between any combination of Windows systems in 1998 as part of our work to develop a password synchronization system between IBM OS/2 and Microsoft NT.

1998 And Going Strong

The funny thing about the technology developed so long ago (originally) is that it works as well then as it does now and supports password synchronization between the oldest Windows operating systems and the most recent version of Windows 2012 and Windows 8 for both 32-bit and 64-bit operating systems!

The story about how we built this password synchronizer and some of its interesting capabilities requires a little explanation about the cryptography and tricks used for password authentication in Windows.

The Story

We used to sell a product called the “IBM LAN Server to Windows Migration Wizard” that allowed customers to migrate from the 16/32 bit LAN Manager based network operation system to the new hotness of a 32-bit operating system called Windows NT.

It turns out that both the IBM operating system LAN Server, Microsoft LAN Manager and Windows NT all had very similar internal designs and cryptography. With that in mind we were able to create a great migration tool for the times. But, customers wanted a way to keep their old IBM LAN Server systems on line while they migrated, so we developed a tool to synchronize the password hashes between LAN Server and Windows NT. That is how Server-to-Server Password Synchronizer was built.

What’s A Hash?

To make it hard for the bad guys to figure out your password, operating system vendors (and even application vendors) convert passwords into a non-reversible but unique equivalent called a password hash. The password hash is not the password, but a unique signature (typically 32 digit hexadecimal number, but it can be longer or shorter) of that password that can be used for comparison purposes.

For example, the calculated hash (MD4 hash) of the password: “password” is:
8a9d093f14f8701df17732b2bb182c74

The cool thing about hashes is that if I change the password just a little bit (say, change the “password” to “p@ssword” the hash changes radically to:
50afea718f48da334c084c008327e6bb

Looking at the two hashes, it is very hard to see that these are the same password except for one character difference.

The other interesting thing about hashes is that they don’t reflect the length of the password. For example, the password: “The quick brown fox jumped over the lazy dogs back.” Has a hash of:
3b84a988b176a3b7eb73805e256e966a

So whether I have a single character password or one that has 127 characters, I will always get a hash of the same length.

Comparing Hashes

When you logon to a Windows system, the password you type in is converted to a 32-byte hash. This hash is then compared to the hash stored away in the operating system for your account. If they match you get logged in. Note that domain connected systems use a varied version of hash comparison called challenge/response, but we won’t go into the details here.

For backward compatibility there can be two password hashes stored for a single account. The first hash is known as an LM (Lan Manager) hash. This hash is for backward compatibility to Windows 3.1, Windows 95, Windows 98 and Windows ME. In most modern versions of Windows this hash generation is normally disabled and not allowed because the password hashes are not very strong and can be cracked easily with Rainbow tables.

The second hash used by Windows is known as an NT or MD4 hash. The MD4 hash is normally the only password stored for a user in Windows these days. In addition to the hash of a password, a time and date stamp is also stored. The time stamp is used to determine when it is time to change the password if a maximum age policy is in effect for the operating system.

How The Synchronizer Works… Or Who Has The Best Hash?

It turns out that all Microsoft Windows workstations, servers, and domain controllers, generate password hashes in the same format (internal encryption and storage vary between operating systems).

What our product Server-to-Server Password Synchronizer does is contact all of the Windows machines you want synchronized, pulls in the password hashes of the accounts you want synchronized, gets the time stamps and copies the best and most recent hash of a user to all the places where the hash is wrong and/or older.

Once the hashes are copied and identical in all places, a user can logon with the same password in all the places you synchronized.

Use Case: All Password Hashes Synched

Consider how cool it would be to change a password on a standalone server running a web site and have this password automatically propagate in other servers, domain controllers, workstations, or what have you in just a minute or two. The reverse is also true, namely, you can change a password in a domain controller, and have the hash synchronize to a standalone server in a DMZ that is not domain joined or connected to the main domain.

Order Out of Chaos

One of my favorite things about Server-to-Server Password Synchronizer is that it automatically fixes bad passwords and passwords that are out of synch without a user having to change their password to force synchronization. In other words, it creates order autonomously out of a horribly chaotic set of passwords for users.

Hashes Into The Future

Believe it or not, the first version of Windows NT and the latest versions of Windows all use the same password hash algorithms so they are interoperable with each other. Because the hashes are identical between operating systems, our password synchronizer works beautifully even today.

What It Does Not Do

Operating systems such as mainframes, UNIX, Linux and other types of operating systems all use hashes, but typically use hash algorithms incompatible with Microsoft Windows (i.e. MD5) to calculate their hashes. Because of this reason, hashes generated in Windows are not recognized in these other operating systems and vice-versa. For this reason, Server-to-Server Password Synchronizer is a Windows-only product.

Need To Synchronize Hashes?

You can install and try Server-to-Server Password Synchronizer for yourself for 30 days. You can synchronize up to 10 unique accounts over as many systems as you wish. So, if you want to try synching 2 accounts on 100 systems, you can do that for 30 days on our dime to prove to yourself how awesome having identical password hashes can really be.

What do you think? Email me at: Phil@liebsoft.com. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

 
What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • The Evolution of Smartcard and Certificate Support. One topic that arises more and more frequently in conversations that I have – whether it’s with analysts and media, IT security professionals I meet in the course of my work, or my company’s government and military customers – is the state of smartcard and certificate technology to securely access highly sensitive systems...

Events / Press / Analysts  
  • Lieberman Software’s Enterprise Random Password Manager now supports SQL Server 2012. Vigilance, The Security Magazine. Lieberman Software Corporation last week announced that its flagship privileged identity management solution, Enterprise Random Password Manager (ERPM), now supports SQL Server 2012. ERPM adds SQL Server 2012 support to the industry's most complete privileged identity management solution – covering all major operating systems, databases, business applications, network appliances and more.
  • Lieberman Software announces Account Reset Console 6.0 password reset solution. eChannelLine. Lieberman Software Corporation has announced the release of Account Reset Console 6.0, the latest version of the company's self-service password reset solution. The product permits delegated users to reset their own passwords and unlock their own accounts without involving IT staff, helping organizations maintain high productivity levels while simultaneously strengthening security.
  • Mozilla Firefox 12: No More Update Notifications. Midsize Insider. Mozilla has released the latest version of their open web browser Firefox. The biggest pro (and con) to Firefox 12 is its silent updates. Unlike former versions of the browser, this latest incarnation automatically updates itself without sending you a notification. No longer does a user need to agree to installation, wait for the update to download, and then install. The entire process now occurs in the background.

Tech Tip of the Month

Self-Service and Help Desk Password Resets for the Enterprise

Resetting users’ forgotten or expired passwords is one of the most common problems in business environments. Besides being a productivity loss to users, it's also a drain on Help Desk or Sys Admin time. It’s a problem that calls for an automated solution.

Account Reset Console is a password management tool that grants your users a secure and audited method for resetting or unlocking their own Windows accounts, without involving the IT department. Users can reset their passwords from the Windows Logon screen via a "Forgot Password" link on their systems, or through a secure web interface accessible from any shared kiosk in the network. Here's how.


Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.
Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
                 www.Liebsoft.com    |    (01) 310-550-8575  |   newsletter@liebsoft.com