By Mike Mullins
Requiring your users to use complex passwords and enforcing that policy is useless if you authenticate and locally store easily cracked password files.
By default, Windows NT, 2000, and XP locally store legacy LAN Manager (LM) password hashes (LANMAN hashes). LM uses a weak encryption scheme to store passwords, and hackers can usually crack it in a very short period of time.
Windows stores LM hashes in the Security Account Manager (SAM) database. By default, clients have LAN Manager authentication enabled, and servers accept this authentication.
This allows workstations to send weak LM hashes across the network, making Windows authentication vulnerable to packet sniffing and reducing the amount of effort an attacker must expend to crack user passwords.
To disable this ability and better secure your workstations, follow these steps:
LMCompatibilityLevel's default is 0. Your options include:
Configure the system to use only NTLMv2, and set the REG_DWORD to Level 3. This forces the clients to send NTLMv2 authentication only.
Set your servers to Level 5, and your client-server communication is now secure. (For additional information, check out Microsoft Knowledge Base article 147706.)
Implement NoLMHash Policy
After you make this change, you'll still need to force the systems to remove the LM hash from their SAM database. To disable the storage of LM hashes of a user's passwords using Active Directory (Windows 2000 Server or Windows Server 2003) and Group Policy, follow these steps:
To disable the storage of LM hashes of a user's passwords in the local computer's SAM database by using Local Group Policy (Windows XP or Windows 2000), make the following change locally. Follow these steps:
Keep in mind that these changes won't take effect until the user changes his or her password and Windows creates a new hash. This is a good time to force a domain-wide password change, specifically for all users with elevated privileges.
While Microsoft propagated this security liability to allow for compatibility with legacy Windows 95/98 clients, it's time you remove this default vulnerability from your network.
Note: Editing the registry can be risky, so be sure you have a verified backup before you begin.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.