Configure password encryption level in Windows 9x

A low Password Encryption level is used by default to give a higher level of compatibility, but makes it easy for an intruder to use a network sniffer for discovering other user’s username and password.

Note before Win95/Win98/WinMe can be configured to use a higher level of encryption, then one have to install the Directory Services Client, which is found on the Win2k Install-Cd (X:\Clients\Win9x\Dsclient.exe), and Win95 also requires that Winsock2 update and at least DUN 1.3+ is installed.
If doing domain logon learn How the DSClient uses DNS lookup, and check that the DNS Server is properly configured or it can cause slow logon, as it has to timeout before it uses Netbios.

Configure the Lan Manager Compatibility level in Challenge/Response:

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \LSA]
LMCompatibility = 3 (Default 0)

Level 0 = Client uses LM and NTLM
Level 3 = Client only uses NTML2

More Info MS KB239869

Configure the LanManager Security Support Provider (SSP):

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \control \LSA \MSV1_0]
NtlmMinClientSec = 0x20080030 (Default 0)

0x20080030 = 128 Bit, NTLM2, Message Confidentiality, Message Integrity

Note to reach 128 bit encryption one have to install the Internet Explorer with 128 encryption before installing the Directoy Services Client.

More Info MS KB239869

The LanManager can be configured not to require Challenge/Response(CHAP), but also allow Password Authentication Protocol(PAP):

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \VxD \VNETSUP]
EnablePlainTextPassword = 1 (Default = 0 and the most secure)

More Info MS KB185612
More Info MS KB187228

More Info MS KB249841
More Info MS KB288358 (Download original DsClient.exe)
More Info MS KB283261 (Flaw in DsClient.exe)
More Info MS KB323455 (Description of Hotfix for DsClient.exe) (Replaces MS KB323466)
More Info MS KB555038 (Using DsClient.exe)

Related Description of password encryption level over network