Network security: Do not store LAN Manager hash value on next password change

Information

Network security: Do not store LAN Manager hash value on next password change

This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.


Default on Windows Vista: Enabled
Default on Windows XP: Disabled.

Important

Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.

Solution

Policy Path: Security Options
Policy Setting Name: Network security: Do not store LAN Manager hash value on next password change

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(6), CSCv6|16.14

Plugin: Windows

Control ID: bb3fbf08950b39d9aa69cfd48e45b629c050a1349e6ce682f793c6171a23a216