Skip navigation

How do I disable LanManager challenge/response in NT?

A. Windows NT Servers with Service Pack 4 and above support three authentication types,

  • LanManager (LM) challenge/response
  • Windows NT challenge/response (also known as NTLM challenge/response)
  • Windows NT challenge/response Version 2.0 (also known as NTLM2)

By default when a client connects to a server both LM and NTLM are used in case the server does not support NTLM however LM is far weaker than NTLM so you may wish to disable LM for security reasons.

Editing the registry key described allows the client to select which authentication is will use but ensure is NTLM2 is select SP4 is applied to all servers. The setting below is required on the clients and servers so you may wish to automate this via a logon script or policy

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. From the edit menu select New - DWORD value
  4. Enter a name of LMCompatibilityLevel and press Enter
  5. Double click the new value and set to one of the following
    0 - Send LM response and NTLM response; never use NTLMv2 session security
    1 - Use NTLMv2 session security if negotiated
    2 - Send NTLM response only
    3 - Send NTLMv2 response only
    4 - DC refuses LM responses
    5 - DC refuses LM and NTLM responses (accepts only NTLMv2)
  6. Close the registry editor
  7. Reboot the machine

For more information on deploying see http://support.microsoft.com/support/kb/articles/q147/7/06.asp


TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish