Tech Tip: Lock down systems by disabling LM authentication

By Mike Mullins

Requiring your users to use complex passwords and enforcing that policy is useless if you authenticate and locally store easily cracked password files.

By default, Windows NT, 2000, and XP locally store legacy LAN Manager (LM) password hashes (LANMAN hashes). LM uses a weak encryption scheme to store passwords, and hackers can usually crack it in a very short period of time.

Windows stores LM hashes in the Security Account Manager (SAM) database. By default, clients have LAN Manager authentication enabled, and servers accept this authentication.

This allows workstations to send weak LM hashes across the network, making Windows authentication vulnerable to packet sniffing and reducing the amount of effort an attacker must expend to crack user passwords.

To disable this ability and better secure your workstations, follow these steps:

1. Go to Start | Run, and enter Regedit.
2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ control\LSA.
3. Find the LMCompatibilityLevel value.

LMCompatibilityLevel's default is 0. Your options include:

• Level 0: Send LM response and NTLM response; never use NTLMv2 session security.
• Level 1: Use NTLMv2 session security if negotiated.
• Level 2: Send NTLM authentication only.
• Level 3: Send NTLMv2 authentication only.
• Level 4: Refuse LM authentication.
• Level 5: Refuse LM and NTLM authentication; accept only NTLMv2.

Configure the system to use only NTLMv2, and set the REG_DWORD to Level 3. This forces the clients to send NTLMv2 authentication only.

Set your servers to Level 5, and your client-server communication is now secure. (For additional information, check out Microsoft Knowledge Base article 147706.)

Implement NoLMHash Policy

After you make this change, you'll still need to force the systems to remove the LM hash from their SAM database. To disable the storage of LM hashes of a user's passwords using Active Directory (Windows 2000 Server or Windows Server 2003) and Group Policy, follow these steps:

1. In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and expand Local Policies.
2. Select Security Options.
3. Double-click Network Security: Do Not Store LAN Manager Hash Value On Next Password Change.
4. Select Enabled, and click OK.

To disable the storage of LM hashes of a user's passwords in the local computer's SAM database by using Local Group Policy (Windows XP or Windows 2000), make the following change locally. Follow these steps:

1. Go to Start | Control Panel.
2. Double-click Administrative Tools.
3. Double-click Local Security Policy.
4. In the left pane, expand Local Policies, and select Security Options.
5. Double-click Network Security: Do Not Store LAN Manager Hash Value On Next Password Change.
6. Select Enabled, and click OK.

Keep in mind that these changes won't take effect until the user changes his or her password and Windows creates a new hash. This is a good time to force a domain-wide password change, specifically for all users with elevated privileges.

Final thoughts

While Microsoft propagated this security liability to allow for compatibility with legacy Windows 95/98 clients, it's time you remove this default vulnerability from your network.

Note: Editing the registry can be risky, so be sure you have a verified backup before you begin.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.