To disable transmission of LM hashes across the network on a single computer, complete these steps:
- Open the registry editor and browse to HKLM\System\CurrentControlSet\control\LSA
- Find the key named “LMCompatibilityLevel”
- Change this value to “5” to completely disable the use of LM authentication.
After doing this, you will still need to configure the computer to remove its local copy of the LM hash:
- Create a new policy in the Group Policy Management Console, and browse to Computer Configuration > Windows Settings > Security Settings > Local Policies.
- Select Security Options.
- Double-click “Network Security: Do Not Store LAN Manager Hash Value On Next Password Change”.
- Select Enabled, and click OK.
As a final thought, remember, that if you still have legacy clients connecting to your domain, you will still have to allow for LM authentication as it is the only form of authentication they will support.
Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. Chris's specialties include general network administration, windows server 2003, wireless networking, and security. You can view Chris' personal website at www.chrissanders.org.