Based on how quickly someone can crack a password, most people’s first reaction is to disable LAN Manager authentication and increase the time it takes to brute force a password. As logical as this sounds, there are some down sides. The first is that if you have clients who are running an
operating system that uses LAN Manager authentication and you disable it, they will not be able to connect to the system. Some operating systems that use LAN Manager authentication are Windows 95 and 3.1. However, if this is not an issue and all your systems have Windows 98 or NT, then this problem will not impact your system. The key factor to remember is:
Think and plan before you act. So many companies, when it comes to security, have knee-jerk reactions that cause a number of unnecessary issues. The old saying “measure twice, cut once” goes a long way, not only for having a secure system, but also for having a robust system.
I had a client call me on a Monday and say that some of his users could not connect to the network. I asked the usual questions: “Did you change anything, and is there a pattern to who can and cannot log on?” What made this hard to diagnosis was that I received the typical response: “No we did not change anything, and there is no logic to who cannot log on to the network.” After going on site and performing some investigation, I noticed that none of the NT users were having problems, but all the Windows 95 users could not connect. It turned out that an administrator read a document stating that turning off LAN Manager authentication would strengthen security, so he reconfigured the registry on all the domain controllers. The administrator was partially correct that it would improve security, but he failed to realize the negative aspect that certain clients would not be able to authenticate to the domain.
My recommendation is to upgrade all your clients to either NT or Windows 98, so you can disable the LAN Manager authentication and increase your security. The main reason to do this is based on the concept of following the path of least resistance. Remember, an attacker is always going to find the easiest way into a network and use that as his attack point. In this case, LAN Manager is the long pole in the tent. As you have seen, in a worst-case scenario, LAN Manager hashes can be cracked in a couple of weeks. On the other hand, according to Microsoft Knowledge Base
Articles, because NT authentication or NTLM uses all 14 characters and upper and lowercase characters, it would take, on average, 2,200 years to find the keys, and 5,500 years to find the password, using a 200 Mhz Pentium Pro computer. Even with putting 1,000 computers together, it would take 5.5 years to find the passwords. I don’t know about you, but I like several years or several hundred years over several days or weeks.
For additional details on disabling LAN Manager authentication, see Microsoft Knowledge Base Article Q147706, which can be found at www.microsoft.com by clicking Knowledge Base, which is located under Support. The Microsoft Knowledge Base can also be found by going to http://search.support.microsoft.com/kb/. We cover an overview of the registry keys that need to be modified in Chapter 11, “Fundamentals of Microsoft NT,” but for a detailed description, see the Knowledge Base Article. Microsoft does a great job in its Knowledge Base Articles documenting issues and explaining how to fix problems.
One word of caution: Be extremely careful whenever you modify the registry. If you accidentally modify or delete a key, you could render NT inoperable, and the only way to fix it would be to reload the operating system. My suggestion is if you’ve never modified the registry before, have someone with experience watch you or walk you through the process the first couple of times.
For clarification, the following information is taken from Microsoft Knowledge Base Article Q147706. For disabling LAN Manager
authentication and controlling the NTLM security, you would modify the following key:
HKEY_LOCAL_MACHINE\System\Current ControlSet\control\LSA
For maximum control, there are various levels of authentication to choose from. The following is the key information and different levels:
Value: LMCompatibilityLevel Value Type: REG_DWORD - Number Valid Range: 0-5
Default: 0
Description: This parameter specifies the type of authentication to be
used.
Level 0 - Send LM response and NTLM response; never use NTLMv2 session
security
Level 1 - Use NTLMv2 session security if negotiated Level 2 - Send NTLM authenication only
Level 3 - Send NTLMv2 authentication only Level 4 - DC refuses LM authentication
Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)
You can also set the minimum security negotiated for applications. That is done through the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\MSV1_0 The following are the values for this key:
Value: NtlmMinClientSec
Value Type: REG_DWORD - Number
Valid Range: the logical 'or' of any of the following values::
0x00000010 0x00000020 0x00080000 0x20000000 Default: 0
Value: NtlmMinServerSec
Value Type: REG_DWORD - Number
Valid Range: same as NtlmMinClientSec Default: 0
Description: This parameter specifies the minimum security to be used.
0x00000010 Message integrity
0x00000020 Message confidentiality 0x00080000 NTLMv2 session security 0x20000000 128 bit encryption
To disable LAN Manager authentication, you need to be running Service Pack 4 (SP4) or higher. If you are not sure about the impact disabling LAN Manager authentication can have on your system, you can start at a lower level and work your way up to Level 4 or Level 5. Also, it is always
recommended that before you make any change to a production system, you should implement it first on a test system.