DOCUMENT:Q147706 TITLE :How to Disable LM Authentication on Windows NT PRODUCT :Microsoft Windows NT, Windows 95, Windows for Workgroups 3.11 and LAN Manager 2.2c PROD/VER:2.2 3.11 4.0 95 OPER/SYS:WINDOWS KEYWORD :kberrmsg kbfile ntsecurity NTSrvWkst ntstop -------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 - Microsoft LAN Manager version 2.2c - Microsoft Windows for Workgroups version 3.11 - Microsoft Windows 95 -------------------------------------------------------------------------- SUMMARY ======= Windows NT supports the following two types of challenge/response authentication: - LanManager (LM) challenge/response - Windows NT challenge/response To allow access to servers that only support LM authentication, Windows NT clients currently send both authentication types. Microsoft developed a patch that supports a new registry key that allows clients to be configured to send only Windows NT authentication. MORE INFORMATION ================ Microsoft has posted the patch at the following Internet location: NOTE: Service Pack 3 must be applied to Windows NT 4.0 prior to applying this fix. ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/frn/NT40/ hotfixes-postSP3/lm-fix The new registry parameter was added to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA Value: LMCompatibilityLevel Value Type: REG_DWORD - Number Valid Range: 0,1,2 Default: 0 Description: This parameter specifies the type of authentication to be used. Level 0 Send LM and Windows NT authentication (default). Level 1 Send Windows NT authentication and LM authentication only if the server requests it. Level 2 Never send LM authentication. If a Windows NT client selects level 2, it cannot connect to servers that support only LM authentication, such as Windows 95 and Windows for Workgroups. NOTE: If the last password change came from a Windows for Workgroups or MS- DOS LanManager 2.x or earlier client, the data needed for Windows NT authentication will not be available on the domain controller and a client selecting level 2 will not be able to connect to Windows NT-based servers. To eliminate LM authentication with protocols other than remote file sharing (for example, Microsoft RPC, RAS, Internet Information Server (IIS), or Internet Explorer -- anything that uses the NTLMSSP), both the client and the server need to have the hotfix installed. After installing the hotfix, perform the following steps to configure the LM compatibility level on a computer running Windows NT Workstation or Server: WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk. 1. Run Registry Editor (Regedt32.exe). 2. From the HKEY_LOCAL_MACHINE subtree, go to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA 3. Click Add Value on the Edit menu. 4. Add the following two values: Value Name: LMCompatibilityLevel Data Type: REG_DWORD Data: 0 (default), 1, or 2 5. Click OK and then quit Registry Editor. 6. Shut down and restart Windows NT. STATUS ====== Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information. Additional query words: 4.00 prodnt win95 wfwg ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.