Disabling LM Authentication

Written by on Tuesday, March 4, 2008 5:31 - 0 Comments

Using strong passwords is useless if they are not encrypted properly. That’s why disabling LM authentication is important.

Requiring users to create complex passwords is of absolutely no use if those passwords can be easily extracted from a computer. By default, Windows 2000 and XP locally store the passwords hashes used during Lan Manager (LM) authentication. LM is an older technology and uses a very bad form of encryption that is easily cracked. In a network environment these passwords are transmitted to the primary domain controller for authentication purposes. This means that anybody with a network sniffer, LM cracking application, and a little bit of motivation can easily intercept and decode users passwords.

To disable transmission of LM hashes across the network on a single computer, complete these steps:

1. Open the registry editor and browse to HKLMSystemCurrentControlSetcontrolLSA
2. Find the key named “LMCompatibilityLevel”
3. Change this value to “5” to completely disable the use of LM authentication.

After doing this, you will still need to configure the computer to remove its local copy of the LM hash:

1. Create a new policy in the Group Policy Management Console, and browse to Computer Configuration > Windows Settings > Security Settings > Local Policies.
2. Select Security Options.
3. Double-click “Network Security: Do Not Store LAN Manager Hash Value On Next Password Change”.
4. Select Enabled, and click OK.

As a final thought, remember, that if you still have legacy clients connecting to your domain, you will still have to allow for LM authentication as it is the only form of authentication they will support.

Article written by MyComputerAid.com



Leave a Reply

You must be logged in to post a comment.

2003 server - Sep 30, 2008 22:34 - 0 Comments

instant messaging srv records

More In Computers & PC


Microsoft Outlook - Mar 22, 2009 11:22 - 0 Comments

Outlook: Duplicates in Mailbox

More In Computers & PC