• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

LmCompitabilityLevel is not working

B

ba7eth

Flightless Bird
I have set both Windows 2003 domain controller and Windows XP SP3 workstation
to LmCompitabilityLevel 5 (NTLMv2 response only/refuse LM and NTLM)

I also set NoLMhash on both machines (DC, and workstation), then I rebooted
both.

I also changed the password for the administrator as well as other users to
make sure that no LM hash is being stored/used.

The problem is using a sniffer I can see that LM hash is being sent. Can
anyone please help figure out why this is the case?

Thanks,
 
J

John John - MVP

Flightless Bird
ba7eth wrote:
> I have set both Windows 2003 domain controller and Windows XP SP3 workstation
> to LmCompitabilityLevel 5 (NTLMv2 response only/refuse LM and NTLM)
>
> I also set NoLMhash on both machines (DC, and workstation), then I rebooted
> both.
>
> I also changed the password for the administrator as well as other users to
> make sure that no LM hash is being stored/used.
>
> The problem is using a sniffer I can see that LM hash is being sent. Can
> anyone please help figure out why this is the case?


I think that the LM hash is still being stored, although I'm not sure
why it would still be sent. Take a look at the following GPO:

Network security: Do not store LAN Manager hash value on next password
change

and

Network security: LAN Manager authentication level

John
 
B

ba7eth

Flightless Bird
Thank you John for responding back. As I mentioned in my post the
LMCompitabilityLevel is set to 5 which is
"Send NTLMv2 response only\refuse LM & NTLM"

Which makes the value of the "Network security: LAN Manager authentication
level" to be set to 5 which is supposed to be the most secure made of all
applicable levels.

Why I still see LM with the above settings as well as NoLMHash? is puzzling
me.
 
B

ba7eth

Flightless Bird
Thank you John for your reply.

As I mentioned earlier I have the "LMCompitabilityLevel" set to level 5, so
the "Network security: LAN Manager authentication level is set to level 5
which is"Send NTLMv2 response only\refuse LM & NTLM"

What puzzles me is that in addition to the above settings applied NoLMHash
is also set and yet I can see that LM hash is stored?
 
J

John John - MVP

Flightless Bird
ba7eth wrote:
> Thank you John for responding back. As I mentioned in my post the
> LMCompitabilityLevel is set to 5 which is
> "Send NTLMv2 response only\refuse LM & NTLM"
>
> Which makes the value of the "Network security: LAN Manager authentication
> level" to be set to 5 which is supposed to be the most secure made of all
> applicable levels.
>
> Why I still see LM with the above settings as well as NoLMHash? is puzzling
> me.


The NoLMHash is set to 1?

Maybe you should ask the folks in the Server group.

John
 
Top