Disabling LM Authentication

  • Section(s): Security
  • Published on Mar 22, 2007.
  • Last Modified on Mar 22, 2007.
  • Last Modified by Chris Sanders.
  • Rated 1 out of 5 based on 1 votes.
Using strong passwords is useless if they are not encrypted properly. That’s why disabling LM authentication is important.
Requiring users to create complex passwords is of absolutely no use if those passwords can be easily extracted from a computer. By default, Windows 2000 and XP locally store the passwords hashes used during Lan Manager (LM) authentication. LM is an older technology and uses a very bad form of encryption that is easily cracked. In a network environment these passwords are transmitted to the primary domain controller for authentication purposes. This means that anybody with a network sniffer, LM cracking application, and a little bit of motivation can easily intercept and decode users passwords.

To disable transmission of LM hashes across the network on a single computer, complete these steps:
  1. Open the registry editor and browse to HKLM\System\CurrentControlSet\control\LSA
  2. Find the key named “LMCompatibilityLevel”
  3. Change this value to “5” to completely disable the use of LM authentication.

After doing this, you will still need to configure the computer to remove its local copy of the LM hash:
  1. Create a new policy in the Group Policy Management Console, and browse to Computer Configuration > Windows Settings > Security Settings > Local Policies.
  2. Select Security Options.
  3. Double-click “Network Security: Do Not Store LAN Manager Hash Value On Next Password Change”.
  4. Select Enabled, and click OK.

As a final thought, remember, that if you still have legacy clients connecting to your domain, you will still have to allow for LM authentication as it is the only form of authentication they will support.

***

Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. Chris's specialties include general network administration, windows server 2003, wireless networking, and security. You can view Chris' personal website at www.chrissanders.org.

About Chris Sanders

Chris Sanders is a network consultant for KeeFORCE, one of the most popular network consulting firms in western Kentucky. Chris is the author of the book Practical Packet Analysis as well as several technical articles. His personal website at www.chrissanders.org contains a great deal of information, articles, and guides related to network administration, network security, packet analysis, and general information technology.

Share this article


Article not looking right or info is missing? Let us know so that we can fix it: .


Receive all the latest articles by email!

Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowsNetworking.com member!

Discuss your network issues with thousands of other network administrators. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Help Desk solution?