TITLE :How to Disable LM Authentication on Windows NT
PRODUCT :Microsoft Windows NT, Windows 95, Windows for Workgroups 3.11
and LAN Manager 2.2c
PROD/VER:2.2 3.11 4.0 95
KEYWORD :kberrmsg kbfile ntsecurity NTSrvWkst ntstop
The information in this article applies to:
- Microsoft Windows NT Workstation version 4.0
- Microsoft Windows NT Server version 4.0
- Microsoft LAN Manager version 2.2c
- Microsoft Windows for Workgroups version 3.11
- Microsoft Windows 95
Windows NT supports the following two types of challenge/response
- LanManager (LM) challenge/response
- Windows NT challenge/response
To allow access to servers that only support LM authentication, Windows
clients currently send both authentication types. Microsoft developed a
patch that supports a new registry key that allows clients to be
to send only Windows NT authentication.
Microsoft has posted the patch at the following Internet location:
NOTE: Service Pack 3 must be applied to Windows NT 4.0 prior to applying
The new registry parameter was added to the following registry key:
Value Type: REG_DWORD - Number
Valid Range: 0,1,2
Description: This parameter specifies the type of authentication to
Level 0 Send LM and Windows NT authentication (default).
Level 1 Send Windows NT authentication and LM authentication only if
server requests it.
Level 2 Never send LM authentication.
If a Windows NT client selects level 2, it cannot connect to servers
support only LM authentication, such as Windows 95 and Windows for
NB: This means that the only secure network is a 100% NT network and if
there are any Win95, Win 3.1, Win 3.11 on the network, M$ cannot
guarantee security. JoeB, any comment?
NOTE: If the last password change came from a Windows for Workgroups or
DOS LanManager 2.x or earlier client, the data needed for Windows NT
authentication will not be available on the domain controller and a
selecting level 2 will not be able to connect to Windows NT-based
To eliminate LM authentication with protocols other than remote file
sharing (for example, Microsoft RPC, RAS, Internet Information Server
(IIS), or Internet Explorer -- anything that uses the NTLMSSP), both the
client and the server need to have the hotfix installed.
After installing the hotfix, perform the following steps to configure
LM compatibility level on a computer running Windows NT Workstation or
WARNING: Using Registry Editor incorrectly can cause serious,
problems that may require you to reinstall Windows NT to correct them.
Microsoft cannot guarantee that any problems resulting from the use of
Registry Editor can be solved. Use this tool at your own risk.
1. Run Registry Editor (Regedt32.exe).
2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
3. Click Add Value on the Edit menu.
4. Add the following two values:
Value Name: LMCompatibilityLevel
Data Type: REG_DWORD
Data: 0 (default), 1, or 2
5. Click OK and then quit Registry Editor.
6. Shut down and restart Windows NT.
Microsoft has confirmed this to be a problem in Windows NT version 4.0.
A supported fix is now available, but has not been fully
and should be applied only to systems experiencing this specific
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this
Contact Microsoft Technical Support for more information.
Additional query words: 4.00 prodnt win95 wfwg
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.