Disable Microsoft Windows LM / NTLMv1 Authentication

How can I disable Microsoft Windows LM / NTLMv1 Authentication  on all the computers in my domain?

I'm hoping this is a group policy.
LVL 6
TRTurnerAsked:
Who is Participating?
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You could disable NTLMV1 by by changed the value to 5 for:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel to 5.

You could also create a GPO to disable LM as per link below:

http://blog.mohsinabbas.com/2012/04/19/disable-lanman-using-group-policy/

Even with all of this, password hashes are stored in LM hash in memory if password is 14 characters or less.  Refer to this link below for more information:

http://digital-forensics.sans.org/blog/2012/02/29/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly
0
 
JohnBusiness Consultant (Owner)Commented:
Here is the Microsoft Knowledgebase article for NTLM 2 authentication.

http://support.microsoft.com/en-us/kb/239869

I set my LSA registry key value to allow access between my old virtual machines and my Windows 8 machine.

Why do you wish to disable it?  I cannot think of any need and I am not sure it is a good idea.
1
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Also note that you cannot disable LM or NTLM1 if there computers older than XP for workstations and NT for servers.
0
 
TRTurnerAuthor Commented:
Thanks for the heads up
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.