By Mike Mullins
Requiring your users to use complex passwords
and enforcing that policy is useless if you authenticate and
locally store easily cracked password files.
By default, Windows NT, 2000, and XP locally
store legacy LAN Manager (LM) password hashes (LANMAN hashes). LM
uses a weak encryption scheme to store passwords, and hackers can
usually crack it in a very short period of time.
Windows stores LM hashes in the Security
Account Manager (SAM) database. By default, clients have LAN
Manager authentication enabled, and servers accept this
authentication.
This allows workstations to send weak LM hashes
across the network, making Windows authentication vulnerable to
packet sniffing and reducing the amount of effort an attacker must
expend to crack user passwords.
To disable this ability and better secure your
workstations, follow these steps:
- Go to Start | Run, and enter Regedit.
- Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
control\LSA. - Find the LMCompatibilityLevel value.
LMCompatibilityLevel’s default is 0. Your
options include:
- Level 0: Send LM response and NTLM response;
never use NTLMv2 session security. - Level 1: Use NTLMv2 session security if
negotiated. - Level 2: Send NTLM authentication only.
- Level 3: Send NTLMv2 authentication only.
- Level 4: Refuse LM authentication.
- Level 5: Refuse LM and NTLM authentication;
accept only NTLMv2.
Configure the system to use only NTLMv2, and
set the REG_DWORD to Level 3. This forces the clients to send
NTLMv2 authentication only.
Set your servers to Level 5, and your
client-server communication is now secure. (For additional
information, check out
Microsoft Knowledge Base article 147706.)
Implement NoLMHash Policy
After you make this change, you’ll still need
to force the systems to remove the LM hash from their SAM database.
To disable the storage of LM hashes of a user’s passwords using
Active Directory (Windows 2000 Server or Windows Server 2003) and
Group Policy, follow these steps:
- In Group
Policy, expand Computer Configuration, expand Windows Settings,
expand Security Settings, and expand Local Policies. - Select Security Options.
- Double-click Network Security: Do Not Store
LAN Manager Hash Value On Next Password Change. - Select Enabled, and click OK.
To disable the storage of LM hashes of a user’s
passwords in the local computer’s SAM database by using Local Group
Policy (Windows XP or Windows 2000), make the following change
locally. Follow these steps:
- Go to Start
| Control Panel. - Double-click Administrative Tools.
- Double-click Local Security Policy.
- In the left pane, expand Local Policies, and
select Security Options. - Double-click Network Security: Do Not Store
LAN Manager Hash Value On Next Password Change. - Select Enabled, and click OK.
Keep in mind that these changes won’t take
effect until the user changes his or her password and Windows
creates a new hash. This is a good time to force a domain-wide
password change, specifically for all users with elevated
privileges.
Final thoughts
While Microsoft propagated this security
liability to allow for compatibility with legacy Windows 95/98
clients, it’s time you remove this default vulnerability from your
network.
Note: Editing the registry
can be risky, so be sure you have a verified backup before you
begin.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.