ITSS home : Network services : Samba : Updating

Samba File and Print Services

Updating to the new Samba services

What is a Lanman hash?

Windows XP and 2000 by default store the password in a vulnerable and outdated format called the LanMan hash.
This insecure method of storing the password has led to password cracking problems on both the Internet and the University network.
Various security settings need to be changed to remove the insecure method of storing the password and other risks.
The new more secure method of storing the password is only effective after all accounts (i.e., users of the computer) have changed their password.

Fall 2004: ITSS recently updated the version of Samba file and print services offered to the campus. The updated Samba services meet new University security standards for passwords. The new Samba services use a different process to accept and store passwords on Windows workstations.

To gain the security benefits of the new Samba services, those with Windows 2000 or XP computers will need take the following steps:

Update your Samba links/drive mappings to the new Samba services; remove the old services.
Check for the Lanman hash (unsecured passwords) on your computer; update your workstation security profile if needed (LanMan and Null sessions).
Change your computer workstation passwords as needed.

Detailed instructions on how to complete each of these steps follows.

1. Update your Samba links/drive mappings

The new Samba services are MyFiles (which replaces windir) and MyWeb (which replaces winweb and www). Additionally, winprint and msprint have been replaced by Samba.

To gain the security benefits of the new Samba services, you will need to update your Samba links or drive mappings to point to the new Samba services, as shown in the following table:

Windows 2000 and XP Computers
Service	New Samba name	Replaces
Web file access	`\\samba\myweb\`	`\\winweb\www\` `\\www\www\`
Unix file access	`\\samba\myfiles\`	`\\windir\windir\`
Printing	`\\samba\<printer-name>`	`\\msprint\<printer-name>` `\\winprint\<printer-name>`

To update to the new services, refer to these instructions:

After you set up access to the new services, remove any links or drive mappings to the old services:

To remove "windir" drive mappings:

Open My Computer.
RIGHT-click on the windir icon, and select "Disconnect" from the drop-down menu.

To remove "winweb" or "www\wwww" drive mappings:

Open My Computer.
RIGHT-click on the winweb or www\www icon, and select "Disconnect" from the drop-down menu.

To remove "msprint" or "winprint" printers:

Open Printers and Faxes
RIGHT-click on each msprint or winprint printer icon, and select "Delete" from the drop-down menu.

2. Check for the LanMan Hash

Run the LanMan Hash self-test tool to determine if your computer is storing passwords in the vulnerable LanMan hash format.

See: Windows XP/2000 LanMan Hash Test Tool.

If the computer fails the "pwtester" test, update your workstation security using one of the following methods:

Download and apply the ITSS Baseline security template
Apply the changes manually, following these instructions:
Disable Support for LanMan and Null sessions.
Contact ITSS for assistance.

3. Change workstation passwords

After applying the security updates, change the password for all workstation accounts on your computer. For details, see:

Run the pwtester.exe program a second time to verify that the Lanman hash has been removed. If you see the message, "If no user accounts have been displayed above, then all is well!", you are done.

Inside Samba

For Windows

For Mac OSX

News and updates