DOCUMENT:Q147706

TITLE   :How to Disable LM Authentication on Windows NT

PRODUCT :Microsoft Windows NT, Windows 95, Windows for Workgroups 3.11 and LAN Manager 2.2c

PROD/VER:2.2 3.11 4.0 95

OPER/SYS:WINDOWS

KEYWORD :kberrmsg kbfile ntsecurity NTSrvWkst ntstop



--------------------------------------------------------------------------

The information in this article applies to:



 - Microsoft Windows NT Workstation version 4.0

 - Microsoft Windows NT Server version 4.0

 - Microsoft LAN Manager version 2.2c

 - Microsoft Windows for Workgroups version 3.11

 - Microsoft Windows 95

--------------------------------------------------------------------------



SUMMARY

=======



Windows NT supports the following two types of challenge/response

authentication:



 - LanManager (LM) challenge/response

 - Windows NT challenge/response



To allow access to servers that only support LM authentication, Windows NT

clients currently send both authentication types. Microsoft developed a

patch that supports a new registry key that allows clients to be configured

to send only Windows NT authentication.



MORE INFORMATION

================



Microsoft has posted the patch at the following Internet location:



NOTE: Service Pack 3 must be applied to Windows NT 4.0 prior to applying

this fix.



   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/

   hotfixes-postSP3/lm-fix



The new registry parameter was added to the following registry key:



   HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA



   Value: LMCompatibilityLevel

   Value Type: REG_DWORD - Number

   Valid Range: 0,1,2

   Default: 0



   Description: This parameter specifies the type of authentication to be

   used.



   Level 0 Send LM and Windows NT authentication (default).

   Level 1 Send Windows NT authentication and LM authentication only if the

           server requests it.

   Level 2 Never send LM authentication.



If a Windows NT client selects level 2, it cannot connect to servers that

support only LM authentication, such as Windows 95 and Windows for

Workgroups.



NOTE: If the last password change came from a Windows for Workgroups or MS-

DOS LanManager 2.x or earlier client, the data needed for Windows NT

authentication will not be available on the domain controller and a client

selecting level 2 will not be able to connect to Windows NT-based servers.



To eliminate LM authentication with protocols other than remote file

sharing (for example, Microsoft RPC, RAS, Internet Information Server

(IIS), or Internet Explorer -- anything that uses the NTLMSSP), both the

client and the server need to have the hotfix installed.



After installing the hotfix, perform the following steps to configure the

LM compatibility level on a computer running Windows NT Workstation or

Server:



WARNING: Using Registry Editor incorrectly can cause serious, system-wide

problems that may require you to reinstall Windows NT to correct them.

Microsoft cannot guarantee that any problems resulting from the use of

Registry Editor can be solved. Use this tool at your own risk.



1. Run Registry Editor (Regedt32.exe).



2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:



       HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA



3. Click Add Value on the Edit menu.



4. Add the following two values:



      Value Name: LMCompatibilityLevel

      Data Type: REG_DWORD

      Data:  0 (default), 1, or 2



5. Click OK and then quit Registry Editor.



6. Shut down and restart Windows NT.



STATUS

======



Microsoft has confirmed this to be a problem in Windows NT version 4.0.

A supported fix is now available, but has not been fully regression-tested

and should be applied only to systems experiencing this specific problem.

Unless you are severely impacted by this specific problem, Microsoft

recommends that you wait for the next Service Pack that contains this fix.

Contact Microsoft Technical Support for more information.



Additional query words: 4.00 prodnt win95 wfwg



============================================================================



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS

PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS

ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES

OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO

EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR

ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,

CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF

MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION

OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES

SO THE FOREGOING LIMITATION MAY NOT APPLY.