Configure password encryption level in Windows NT
A low Password Encryption level is used by default to give a higher level of compatibility, but makes it easy for an intruder to use a network sniffer for discovering other user’s username and password.
Configure the Lan Manager Compatibility level (WinNT4 SP6+):
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \control \LSA]
LMCompatibilityLevel = 3 (Default 0)
Configure the NT LanManager (NTLM) Security Support Provider (SSP) (WinNT4 SP4+):
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \control \LSA \MSV1_0]
NtlmMinClientSec = 0x20080030 (Default 0)
NtlmMinServerSec = 0x20080030 (Default 0)
The LanManager can be configured not to require Challenge/Response(CHAP), but also allow Password Authentication Protocol(PAP) (WinNT4 SP3+):
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Rdr \Parameters]
EnablePlainTextPassword = 1 (Default = 0 and the most secure)More Info MS KB166730
More Info MS KB256322
The LanManager can be configured not to require Challenge/Response(CHAP), but also allow Password Authentication Protocol(PAP) (Win2k+):
[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanmanWorkStation \Parameters]
EnablePlainTextPassword = 1 (Default = 0 and the most secure)More Info MS KB224287
Related Description of password encryption level over network
More Info MS KB236414
More Info MS KB318266