Disabling the LAN Manager Hash Value

We finally got around to disabling the LAN Man Hash value on our domain controller.
As Jesper Johansson and Steve Riley say in Protect your Windows Network,

Ideally this setting will never have any direct impact on security because if it does it means your domain controller has been hacked; but just in case, we recommend disabling storage of LM hashes. In most cases, the primary benefit of this setting is that it breaks compatibility with Windows 9x

We’ve had it disabled in the test domain since I posted in March. I’m still nervous about whether or not this will break anything. Anything that does break, wont be discovered until the next time the user changes their password. That is because the LM hashes aren’t dropped from the table when this setting is enabled. It is only dropped at next password change.

One Comment

  1. Lanman hash shoe drops

    Regular readers might recall last month we finally disabled storage of the lanman hash in our Windows domain. It was about time, too. This week, I ran SAMInside and found that I couldn’t crack any passwords for accounts where only…

Comments are closed.