If you are attending Microsoft TechEd in Orlando this year stop by our booth 813 to see a few surprises. This year we are in a much larger 20x20 booth with a theater area and four demo stations. We will be demonstrating both our IT administrator tools as well as the latest version of our privileged identity management solution.

From a technology point of view we will also be showing how we have integrated business intelligence with privileged identity management and configuration management to provide you with unprecedented transparency into identity use and misuse.

As a special surprise, we will also show the new multi-lingual capabilities of our 4.83.4 ERPM web interface. You will see ERPM web natively working in German, French, Spanish, Portuguese, Hungarian, Arabic, Chinese (simple and classic) and more. We will also introduce you to our new any-language-in-a- day technology.

Stop by and win great prizes! We will be giving a away a Parrot AR Drone 2.0 Quadricopter every day of the show. We will also be giving away $50 Amex gift cards every 30 minutes at the end of each technical presentation.

Continuing From Last Month… The Long Story of: Server-to-Server Password Synchronizer

Have you ever needed to keep a specific account and its password in synch between un-trusted Windows forests, domains and servers? What about keeping accounts and their passwords in sync between workstations and servers in a workgroup as well as between a domain and a workgroup?

We solved the problem of transparent password synchronization between any combination of Windows systems in 1998 as part of our work to develop a password synchronization system between IBM OS/2 and Microsoft NT.

1998 And Going Strong

The funny thing about the technology developed so long ago (originally) is that it works as well then as it does now and supports password synchronization between the oldest Windows operating systems and the most recent version of Windows 2012 and Windows 8 for both 32-bit and 64-bit operating systems!

The story about how we built this password synchronizer and some of its interesting capabilities requires a little explanation about the cryptography and tricks used for password authentication in Windows.

The Story

We used to sell a product called the “IBM LAN Server to Windows Migration Wizard” that allowed customers to migrate from the 16/32 bit LAN Manager based network operation system to the new hotness of a 32-bit operating system called Windows NT.

It turns out that both the IBM operating system LAN Server, Microsoft LAN Manager and Windows NT all had very similar internal designs and cryptography. With that in mind we were able to create a great migration tool for the times. But, customers wanted a way to keep their old IBM LAN Server systems on line while they migrated, so we developed a tool to synchronize the password hashes between LAN Server and Windows NT. That is how Server-to-Server Password Synchronizer was built.

What’s A Hash?

To make it hard for the bad guys to figure out your password, operating system vendors (and even application vendors) convert passwords into a non-reversible but unique equivalent called a password hash. The password hash is not the password, but a unique signature (typically 32 digit hexadecimal number, but it can be longer or shorter) of that password that can be used for comparison purposes.

For example, the calculated hash (MD4 hash) of the password: “password” is:
8a9d093f14f8701df17732b2bb182c74

The cool thing about hashes is that if I change the password just a little bit (say, change the “password” to “p@ssword” the hash changes radically to:
50afea718f48da334c084c008327e6bb

Looking at the two hashes, it is very hard to see that these are the same password except for one character difference.

The other interesting thing about hashes is that they don’t reflect the length of the password. For example, the password: “The quick brown fox jumped over the lazy dogs back.” Has a hash of:
3b84a988b176a3b7eb73805e256e966a

So whether I have a single character password or one that has 127 characters, I will always get a hash of the same length.

Comparing Hashes

When you logon to a Windows system, the password you type in is converted to a 32-byte hash. This hash is then compared to the hash stored away in the operating system for your account. If they match you get logged in. Note that domain connected systems use a varied version of hash comparison called challenge/response, but we won’t go into the details here.

For backward compatibility there can be two password hashes stored for a single account. The first hash is known as an LM (Lan Manager) hash. This hash is for backward compatibility to Windows 3.1, Windows 95, Windows 98 and Windows ME. In most modern versions of Windows this hash generation is normally disabled and not allowed because the password hashes are not very strong and can be cracked easily with Rainbow tables.

The second hash used by Windows is known as an NT or MD4 hash. The MD4 hash is normally the only password stored for a user in Windows these days. In addition to the hash of a password, a time and date stamp is also stored. The time stamp is used to determine when it is time to change the password if a maximum age policy is in effect for the operating system.

How The Synchronizer Works… Or Who Has The Best Hash?

It turns out that all Microsoft Windows workstations, servers, and domain controllers, generate password hashes in the same format (internal encryption and storage vary between operating systems).

What our product Server-to-Server Password Synchronizer does is contact all of the Windows machines you want synchronized, pulls in the password hashes of the accounts you want synchronized, gets the time stamps and copies the best and most recent hash of a user to all the places where the hash is wrong and/or older.

Once the hashes are copied and identical in all places, a user can logon with the same password in all the places you synchronized.

Use Case: All Password Hashes Synched

Consider how cool it would be to change a password on a standalone server running a web site and have this password automatically propagate in other servers, domain controllers, workstations, or what have you in just a minute or two. The reverse is also true, namely, you can change a password in a domain controller, and have the hash synchronize to a standalone server in a DMZ that is not domain joined or connected to the main domain.

Order Out of Chaos

One of my favorite things about Server-to-Server Password Synchronizer is that it automatically fixes bad passwords and passwords that are out of synch without a user having to change their password to force synchronization. In other words, it creates order autonomously out of a horribly chaotic set of passwords for users.

Hashes Into The Future

Believe it or not, the first version of Windows NT and the latest versions of Windows all use the same password hash algorithms so they are interoperable with each other. Because the hashes are identical between operating systems, our password synchronizer works beautifully even today.

What It Does Not Do

Operating systems such as mainframes, UNIX, Linux and other types of operating systems all use hashes, but typically use hash algorithms incompatible with Microsoft Windows (i.e. MD5) to calculate their hashes. Because of this reason, hashes generated in Windows are not recognized in these other operating systems and vice-versa. For this reason, Server-to-Server Password Synchronizer is a Windows-only product.

Need To Synchronize Hashes?

You can install and try Server-to-Server Password Synchronizer for yourself for 30 days. You can synchronize up to 10 unique accounts over as many systems as you wish. So, if you want to try synching 2 accounts on 100 systems, you can do that for 30 days on our dime to prove to yourself how awesome having identical password hashes can really be.