Configure password encryption level in Windows NT

A low Password Encryption level is used by default to give a higher level of compatibility, but makes it easy for an intruder to use a network sniffer for discovering other user's username and password.

Configure the Lan Manager Compatibility level (WinNT4 SP6+):

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \control \LSA]
LMCompatibilityLevel = 3 (Default 0)

List of possible Lan Manager Compatibility levels

Configure the NT LanManager (NTLM) Security Support Provider (SSP) (WinNT4 SP4+):

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \control \LSA \MSV1_0]
NtlmMinClientSec = 0x20080030 (Default 0)
NtlmMinServerSec = 0x20080030 (Default 0)

List of possible Security Support Provider levels

The LanManager can be configured not to require Challenge/Response(CHAP), but also allow Password Authentication Protocol(PAP) (WinNT4 SP3+):

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Rdr \Parameters]
EnablePlainTextPassword = 1 (Default = 0 and the most secure)

More Info MS KB166730
More Info MS KB256322

The LanManager can be configured not to require Challenge/Response(CHAP), but also allow Password Authentication Protocol(PAP) (Win2k+):

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanWorkStation \Parameters]
EnablePlainTextPassword = 1 (Default = 0 and the most secure)

More Info MS KB224287

Related Description of password encryption level over network

More Info MS KB236414
More Info MS KB318266

Updated: 3 July 2008

Leave a Reply

Your email address will not be published. Required fields are marked *