Skip navigation

JSI Tip 4176. How do I remove LM hashes from Active Directory and Security Account Manager?


Windows 2000 SP2 and Windows XP offer LanMan, NTLM, and NTLMV2 authentication for compatibility with previous versions of Windows. The LM hash is easily attacked if the security database falls into malicious hands.

To disable the storage of the LM hashes for Windows 2000:

1. Use Regedt32 to navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

2. On the Edit menu, Add Key name NoLMHash.

3. Exit Regedt32 and restart your computer.

4. Insure that all users change their password, as the hash is NOT removed until the password is changed.

To disable the storage of the LM hashes for Windows XP:

1. Use Regedt32 to navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

2. On the Edit menu, Add Value name NoLMHash, a REG_DWORD data type, and set the data value to 1.

3. Exit Regedt32 and restart your computer.

4. Insure that all users change their password, as the hash is NOT removed until the password is changed.

NOTE: Windows XP also support the Network Security Group Policy at Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options.

NOTE: Do not store LAN Manager hash value on next password change can cause the following, and other components to NOT work:


Microsoft Windows 95 and Microsoft Windows 98 client authentication without the Directory Services (DS) client pack installed.

Windows 95 and Windows 98 change password operation regardless of the installation of the DS client pack.

MAC UAM client authentication and password change.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish