The security system can't be stronger than its weakest link. E.g., it is important to make users to choose strong passwords and change them often enough. However, if the passwords are transmitted in plain or easily deciphered. Another example is the so called LAN Manager (LM) authentication. This out-of-date method stores passwords in form that can be cracked easily, thus making all the security measures, related to password strength effectively nullified.
In cases when legacy, old clients are used that require LM authentication, you can do nothing about that. In all the other cases it could be a good idea to disable LM authentication
entirely.
The LM hash is transmitted throughout the network, and to prevent that from the single computer, follow these steps:
However, disabling this won't remove the existing copies of LM hashes. To eliminate them
The last thing you have to do is to change the password for a user account to remove whatever hashes were stored for it.
In cases when legacy, old clients are used that require LM authentication, you can do nothing about that. In all the other cases it could be a good idea to disable LM authentication
entirely.
The LM hash is transmitted throughout the network, and to prevent that from the single computer, follow these steps:
- open the registry editor, navigate to HKLM\System\CurrentControlSet\control\LSA
- search the key named "LMCompatibilityLevel"
- change the value of this key to "5"; that will completely disable LM authentication
However, disabling this won't remove the existing copies of LM hashes. To eliminate them
- create a new policy using the Group Policy Management Console; navigate to Computer Configuration, then to Windows Settings > Security Settings > Local Policies.
- select Security Options
- double-click "Network Security: Do Not Store LAN Manager Hash Value On Next Password Change".
- select Enabled and click "OK"
The last thing you have to do is to change the password for a user account to remove whatever hashes were stored for it.
