Q: Can you explain the LAN Manager (LM) hash weakness in the Windows NT LAN Manager (NTLM) authentication protocol, and can you tell me how I can protect my Windows infrastructure against this weakness?
A: The NTLM authentication protocol consists of two authentication protocols: the NT and the LM authentication protocol. These protocols use different hashing methods to securely store a user's password in the Windows security database (SAM or Active Directory-AD). As a consequence, the Windows security database contains an LM hash and an NT hash (also known as the Unicode hash) for every user account's password.
Compared with the NT hash-which takes much more time to break-the LM hash is weak and easily cracked with brute-force attacks. Because of the way LM hashing works, the effective password length is limited to seven characters (even if the user's password is longer), and all characters are stored in uppercase characters (even if the password contains a combination of uppercase and lowercase characters).
The only protocol that uses the LM hash is the LM authentication protocol in both NTLM and NTLMv2. The NT authentication protocol in both NTLM and NTLMv2 and the Kerberos authentication protocol use the NT hash during their authentication sequence. In Windows 2000 Service Pack 2 (SP2), Microsoft first offered the capability to remove the LM hashes from the credential database. To remove the hashes, you can use the NoLMHash registry hack or the Network security: Do not store LAN Manager hash value on next password change Group Policy Object (GPO) setting. The NoLMHash (of type REG_DWORD) registry hack is located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. Set the value to 1 to disable LM hash storage. The GPO setting is located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options container of the GPO Microsoft Management Console (MMC) snap-in.
Two other lesser known methods to disable LM hash storage are
When you use the registry hack or the GPO setting to remove the hashes, no more LM hashes will be stored in the credential database at the next user password change. Windows 2000 will not clear the LM hash history entries in the security database when you've enabled one of these options. Windows XP and Windows Server 2003, however, clear the LM hash history entries. If you enable this setting in a domain environment, you must enable it on all domain controllers in the domain.
Because the LM protocol is still used for authenticating Windows 9x (or older) Windows clients, you can't disable LM hash storage when these client platforms exist in your Windows 2000 or Windows Server 2003 environment.
