How to Disable LM Authentication on Windows NT

Last reviewed: February 16, 1998
Article ID: Q147706
The information in this article applies to:
  • Microsoft Windows NT Workstation versions 3.51 and 4.0
  • Microsoft Windows NT Server versions 3.51 and 4.0
  • Microsoft LAN Manager version 2.2c
  • Microsoft Windows for Workgroups version 3.11
  • Microsoft Windows 95

SUMMARY

Windows NT supports the following two types of challenge/response authentication:

  • LanManager (LM) challenge/response
  • Windows NT challenge/response

To allow access to servers that only support LM authentication, Windows NT clients currently send both authentication types. Microsoft developed a patch that supports a new registry key that allows clients to be configured to send only Windows NT authentication.

MORE INFORMATION

Microsoft has posted the patch at the following Internet location:

NOTE: Service Pack 3 must be applied to Windows NT 4.0 prior to applying this fix.

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
   hotfixes-postSP3/lm-fix

US and Canadian customers can download the 128-bit version of this hotfix by performing the following steps:

   1. Go to the following web page:

         http://Support.Microsoft.com/Support/NTServer/Content
         /ServicePacks/Where.asp

      NOTE: The above link is one line; it has been wrapped for
      readability.

   2. Click "Windows NT 4.0 Service Pack 3 (128-bit)" and then follow the
      instructions on your screen.

The new registry parameter was added to the following registry key:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA

   Value: LMCompatibilityLevel
   Value Type: REG_DWORD - Number
   Valid Range: 0,1,2
   Default: 0

   Description: This parameter specifies the type of authentication to be
   used.

   Level 0 Send LM and Windows NT authentication (default).
   Level 1 Send Windows NT authentication and LM authentication only if the
           server requests it.
   Level 2 Never send LM authentication.

If a Windows NT client selects level 2, it cannot connect to servers that support only LM authentication, such as Windows 95 and Windows for Workgroups.

NOTE: If the last password change came from a Windows for Workgroups or MS- DOS LanManager 2.x or earlier client, the data needed for Windows NT authentication will not be available on the domain controller and a client selecting level 2 will not be able to connect to Windows NT-based servers.

To eliminate LM authentication with protocols other than remote file sharing (for example, Microsoft RPC, RAS, Internet Information Server (IIS), or Internet Explorer -- anything that uses the NTLMSSP), both the client and the server need to have the hotfix installed.

After installing the hotfix, perform the following steps to configure the LM compatibility level on a computer running Windows NT Workstation or Server:

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

  1. Run Registry Editor (Regedt32.exe).

  2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:

           HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
    

  3. Click Add Value on the Edit menu.

  4. Add the following two values:

          Value Name: LMCompatibilityLevel
          Data Type: REG_DWORD
          Data:  0 (default), 1, or 2
    

  5. Click OK and then quit Registry Editor.

  6. Shut down and restart Windows NT.

STATUS

Windows NT 4.0

Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

Windows NT 3.51

Microsoft has confirmed this to be a problem in Windows NT version 3.51. A supported fix is now available, but is not fully regression tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Product Support Services for more information.


Additional query words: 4.00 3.51 win95 wfwg Nph-ntfinal.exe
Keywords : ntsecurity NTSrvWkst ntstop kbbug4.00 kbfix4.00 kberrmsg kbfile
Version : WinNT:3.51,4.0,2.2;Windows:3.11,95
Platform : winnt
Issue type : kbbug
Solution Type : kbfix


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: February 16, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.