Configure password encryption level in Windows NT

19 September 2003 by Snakefoot | Comment » | Trackback Off
A low Password Encryption level is used by default to give a higher level of compatibility, but makes it easy for an intruder to use a network sniffer for discovering other user's username and password.

Configure the Lan Manager Compatibility level (WinNT4 SP6+):

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \control \LSA]
LMCompatibilityLevel = 3 (Default 0)

List of possible Lan Manager Compatibility levels

Configure the NT LanManager (NTLM) Security Support Provider (SSP) (WinNT4 SP4+):

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \control \LSA \MSV1_0]
NtlmMinClientSec = 0x20080030 (Default 0)
NtlmMinServerSec = 0x20080030 (Default 0)

List of possible Security Support Provider levels

The LanManager can be configured not to require Challenge/Response(CHAP), but also allow Password Authentication Protocol(PAP) (WinNT4 SP3+):

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Rdr \Parameters]
EnablePlainTextPassword = 1 (Default = 0 and the most secure)

More Info MS KB Q166730
More Info MS KB Q256322

The LanManager can be configured not to require Challenge/Response(CHAP), but also allow Password Authentication Protocol(PAP) (Win2k+):

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanWorkStation \Parameters]
EnablePlainTextPassword = 1 (Default = 0 and the most secure)

More Info MS KB Q224287

Related Description of password encryption level over network

More Info MS KB Q236414
More Info MS KB Q318266
Tags:
Category:

Updated: 3 July 2008

Leave a comment


You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>