How can I prevent the OS from storing LAN Manager (LM) hashes in Active Directory (AD) and the SAM?

A. Both Windows XP and Windows 2000 support several authentication methods, including LAN Manager (LM), NT LAN Manager (NTLM), and NTLM version 2 (NTLMv2). LM stores passwords in a hashed format that's easy to crack. Starting with Win2K Service Pack 2 (SP2), Microsoft addressed this weakness by adding the ability to disable the storage of LM hashes.

To disable LM hashes in Win2K, perform the following steps:

  1. Start the registry editor (regedit.exe) on the domain controller (DC).
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
  3. From the Edit menu, select New, Key.
  4. Enter a name of NoLMHash, set the value to 1, and press Enter.
  5. Close the registry editor.
  6. Restart the computer for the change to take effect.

To disable LM hashes in XP, perform steps 1 and 2 above. At step 3, from the Edit menu, select New, DWORD value. Complete the process by performing steps 4 through 6 above. This change won't take effect until each user changes his or her password.

In XP, you can also use Group Policy (GP) to disable LM hashes under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. To change the settings for this policy, locate the Network Security policy entitled 'Do not store LAN Manager hash value on next password change.' Be aware that if you set this option, some components that rely on LM hashes (e.g., the Windows 9x change password operation, Win9x client authentication if you don't have the Directory Services (DS) client pack installed) might not work as expected.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.