Requiring users to create complex passwords is of absolutely no use if those passwords can be easily extracted from a computer. By default, Windows 2000 and XP locally store the passwords hashes used during Lan Manager (LM) authentication. LM is an older technology and uses a very bad form of encryption that is easily cracked. In a network environment these passwords are transmitted to the primary domain controller for authentication purposes. This means that anybody with a network sniffer, LM cracking application, and a little bit of motivation can easily intercept and decode users passwords.
To disable transmission of LM hashes across the network on a single computer, complete these steps:
- Open the registry editor and browse to HKLM\System\CurrentControlSet\control\LSA
- Find the key named “LMCompatibilityLevel”
- Change this value to “5” to completely disable the use of LM authentication.
After doing this, you will still need to configure the computer to remove its local copy of the LM hash:
- Create a new policy in the Group Policy Management Console, and browse to Computer Configuration > Windows Settings > Security Settings > Local Policies.
- Select Security Options.
- Double-click “Network Security: Do Not Store LAN Manager Hash Value On Next Password Change”.
- Select Enabled, and click OK.
As a final thought, remember, that if you still have legacy clients connecting to your domain, you will still have to allow for LM authentication as it is the only form of authentication they will support.
Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. Chris’s specialties include general network administration, windows server 2003, wireless networking, and security. You can view Chris’ personal website at www.chrissanders.org.