DOCUMENT:Q147706
TITLE :How to Disable LM Authentication on Windows NT
PRODUCT :Microsoft Windows NT, Windows 95, Windows for Workgroups 3.11
and LAN Manager 2.2c
PROD/VER:2.2 3.11 4.0 95
OPER/SYS:WINDOWS
KEYWORD :kberrmsg kbfile ntsecurity NTSrvWkst ntstop
--------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Windows NT Workstation version 4.0
- Microsoft Windows NT Server version 4.0
- Microsoft LAN Manager version 2.2c
- Microsoft Windows for Workgroups version 3.11
- Microsoft Windows 95
--------------------------------------------------------------------------
SUMMARY
=======
Windows NT supports the following two types of challenge/response
authentication:
- LanManager (LM) challenge/response
- Windows NT challenge/response
To allow access to servers that only support LM authentication, Windows
NT
clients currently send both authentication types. Microsoft developed a
patch that supports a new registry key that allows clients to be
configured
to send only Windows NT authentication.
MORE INFORMATION
================
Microsoft has posted the patch at the following Internet location:
NOTE: Service Pack 3 must be applied to Windows NT 4.0 prior to applying
this fix.
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
hotfixes-postSP3/lm-fix
The new registry parameter was added to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
Value: LMCompatibilityLevel
Value Type: REG_DWORD - Number
Valid Range: 0,1,2
Default: 0
Description: This parameter specifies the type of authentication to
be
used.
Level 0 Send LM and Windows NT authentication (default).
Level 1 Send Windows NT authentication and LM authentication only if
the
server requests it.
Level 2 Never send LM authentication.
If a Windows NT client selects level 2, it cannot connect to servers
that
support only LM authentication, such as Windows 95 and Windows for
Workgroups.
NB: This means that the only secure network is a 100% NT network and if
there are any Win95, Win 3.1, Win 3.11 on the network, M$ cannot
guarantee security. JoeB, any comment?
NOTE: If the last password change came from a Windows for Workgroups or
MS-
DOS LanManager 2.x or earlier client, the data needed for Windows NT
authentication will not be available on the domain controller and a
client
selecting level 2 will not be able to connect to Windows NT-based
servers.
To eliminate LM authentication with protocols other than remote file
sharing (for example, Microsoft RPC, RAS, Internet Information Server
(IIS), or Internet Explorer -- anything that uses the NTLMSSP), both the
client and the server need to have the hotfix installed.
After installing the hotfix, perform the following steps to configure
the
LM compatibility level on a computer running Windows NT Workstation or
Server:
WARNING: Using Registry Editor incorrectly can cause serious,
system-wide
problems that may require you to reinstall Windows NT to correct them.
Microsoft cannot guarantee that any problems resulting from the use of
Registry Editor can be solved. Use this tool at your own risk.
1. Run Registry Editor (Regedt32.exe).
2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
3. Click Add Value on the Edit menu.
4. Add the following two values:
Value Name: LMCompatibilityLevel
Data Type: REG_DWORD
Data: 0 (default), 1, or 2
5. Click OK and then quit Registry Editor.
6. Shut down and restart Windows NT.
STATUS
======
Microsoft has confirmed this to be a problem in Windows NT version 4.0.
A supported fix is now available, but has not been fully
regression-tested
and should be applied only to systems experiencing this specific
problem.
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this
fix.
Contact Microsoft Technical Support for more information.
Additional query words: 4.00 prodnt win95 wfwg
============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.