Network security: Do not store LAN Manager hash value on next password change
|ID: oval:gov.nist.usgcb.windowsseven:def:100||Date: (C)2012-04-13 (M)2018-02-16|
|Class: COMPLIANCE||Family: windows|
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
Default on Windows Vista and above: Enabled
Default on Windows XP: Disabled.
Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change
(2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa!NoLMHash
|Microsoft Windows 7|