Prevent storage of the LAN Manager password hashes
Why Consider this
One or more of your servers or client computers is currently configured to store LAN Manager (LM) password hashes. LM hashes are relatively weak and can often be cracked quickly by attackers using brute force attacks.
Watch a Customer Engineer explaining the issue
Context & Best Practices
LM hashes are used by LAN Manager (LM) authentication, an old authentication mechanism that predates NTLM authentication. By contrast, NTLM and Kerberos authentication both use Windows NT password hashes (known as NT hashes or Unicode hashes), which are considerably more secure.
Windows operating systems prior to Windows Vista, and server operating systems prior to Windows Server 2008, still compute and store both NT hashes and LM hashes. NT hashes are stored for use with NTLM and Kerberos, and LM hashes are stored for backwards compatibility with earlier client operating system versions.
You are highly unlikely to encounter any issues from disabling LM hash storage unless your environment contains Windows 95 or Windows 98 clients. If you disable LM hash storage, users will be unable to authenticate to servers from Windows 95 or Windows 98 clients unless they have the Directory Services Client installed on their computers. However, in these cases you should strongly consider moving the clients to supported operating systems.
Suggested Actions
Wherever possible, you should prevent Windows from storing LM password hashes. You can do this by editing the registry on individual computers or by using Group Policy to apply the change to multiple computers.
For guidance on both approaches, refer to the support article: How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases at https://support.microsoft.com/kb/299656.
For domain controllers, configure a Group Policy to configure all of them with the same setting.
Learn More
LM hash settings can cause compatibility issues in mixed environments. For more information on these issues, review the following support articles:
- Client computers may not work correctly when you add a Windows Server 2008-based domain controller to an existing pre-Windows Server 2008 domain (
https://support.microsoft.com/kb/946405). - Cluster service account password must be set to 15 or more characters if the NoLMHash policy is enabled (
https://support.microsoft.com/kb/828861).
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for