LmCompitabilityLevel is not working

  • Thread starter Thread starter ba7eth
  • Start date Start date
B

ba7eth

I have set both Windows 2003 domain controller and Windows XP SP3 workstation
to LmCompitabilityLevel 5 (NTLMv2 response only/refuse LM and NTLM)

I also set NoLMhash on both machines (DC, and workstation), then I rebooted
both.

I also changed the password for the administrator as well as other users to
make sure that no LM hash is being stored/used.

The problem is using a sniffer I can see that LM hash is being sent. Can
anyone please help figure out why this is the case?

Thanks,
 
ba7eth said:
I have set both Windows 2003 domain controller and Windows XP SP3 workstation
to LmCompitabilityLevel 5 (NTLMv2 response only/refuse LM and NTLM)

I also set NoLMhash on both machines (DC, and workstation), then I rebooted
both.

I also changed the password for the administrator as well as other users to
make sure that no LM hash is being stored/used.

The problem is using a sniffer I can see that LM hash is being sent. Can
anyone please help figure out why this is the case?
Click to expand...

I think that the LM hash is still being stored, although I'm not sure
why it would still be sent. Take a look at the following GPO:

Network security: Do not store LAN Manager hash value on next password
change

and

Network security: LAN Manager authentication level

John
 
Thank you John for responding back. As I mentioned in my post the
LMCompitabilityLevel is set to 5 which is
"Send NTLMv2 response only\refuse LM & NTLM"

Which makes the value of the "Network security: LAN Manager authentication
level" to be set to 5 which is supposed to be the most secure made of all
applicable levels.

Why I still see LM with the above settings as well as NoLMHash? is puzzling
me.
 
Thank you John for your reply.

As I mentioned earlier I have the "LMCompitabilityLevel" set to level 5, so
the "Network security: LAN Manager authentication level is set to level 5
which is"Send NTLMv2 response only\refuse LM & NTLM"

What puzzles me is that in addition to the above settings applied NoLMHash
is also set and yet I can see that LM hash is stored?
 
ba7eth said:
Thank you John for responding back. As I mentioned in my post the
LMCompitabilityLevel is set to 5 which is
"Send NTLMv2 response only\refuse LM & NTLM"

Which makes the value of the "Network security: LAN Manager authentication
level" to be set to 5 which is supposed to be the most secure made of all
applicable levels.

Why I still see LM with the above settings as well as NoLMHash? is puzzling
me.
Click to expand...

The NoLMHash is set to 1?

Maybe you should ask the folks in the Server group.

John
 
Back
Top