Prevent Windows From Storing LAN Manager Hashes With GPO
If you work in IT Support, you should be practicing good password security. You, of course, want to ensure users create secure passwords, but you will also have to make some security configurations on domain computers. For instance, hackers are constantly trying to gain user passwords, so you might want to make sure password storage is also secure. In this article, we will talk about that, exactly.
On a Windows system, Active Directory maintains the domain security principals, while the Security Account Manager (SAM) database maintains local security principals. When you set or change a user’s password, if that password contains less than 15 characters, Windows will generate both a LAN Manager (LM) hash, and an NTLM hash. These hashes are either stored in the local SAM database, or Active Directory.
When compared to the NTLM hash, the LM hash is relatively weak and prone to brute-force attacks. If you are in an Active Directory domain environment, you can use a Group Policy Object to disable the storage of LM hashes throughout your domain. We will now set up a Group Policy Object to prevent Windows from storing LM hashes of user passwords.
Creating Our Group Policy Object
Open up the “Group Policy Management” tool. I want to link this Group Policy Object (GPO) to my entire domain, so I will right click my domain and choose “Create a GPO in this domain, and Link it here…” I will name my Group Policy Object “NoLM_Hashing” so it is clearly marked for other administrators. Click “OK” to save your GPO. Reference the images below for help.
Now that you have created your GPO you need to edit it. Right-click the GPO and choose “Edit” which will bring up the “Group Policy Management Editor”. Reference the images below.
You are now editing the “NoLM_Hashing” GPO and you need to locate the proper settings to enable them. The settings to disable the LM hashing of passwords is located in the following path:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
From here, double click the “Network security: Do not store LAN Manager hash value on next password change” option and then click “Define this policy setting”. Then you simply click the option to “Enable” this security policy. Now click “Apply”, then “Okay” and your policy is configured. Reference the image below.
You are now done editing your GPO and you can exit the “Group Policy Management Editor” tool. To be safe, you should verify your new GPO’s settings in the “Group Policy Management” tool. Simply click on the “NoLM_Hashing” GPO and then navigate towards the “Settings” tab. From here, you can see the GPO’s settings have been enabled. Reference the image below.
Active Directory can take between 90–120 minutes to update Group Policy settings. To immediately update and enforce settings you can run PowerShell as an Administrator and execute the following command:
gpupdate /forceReference the image below if you get stuck.
Congratulations! Our GPO has been enabled and Windows doesn’t save LM hashes for user passwords, anymore. Your Active Directory domain is more secure then it was before. This is a step in the right direction, but there are many more GPO’s we can enforce to secure our Active Directory environment. That’s why you should follow me for more ways to secure Active Directory.
If you are new to Information Technology, or are trying to break into the technology industry, this is great practice. Active Directory is a directory service used by System Administrators all over the world. So becoming proficient in Active Directory is crucial if you want to get a job in IT Support.
Thank you for learning and please press the “Clap” button, it is similar to a “Like” button and will help other people see and learn from this article. You can also share this article with anyone you know who is trying to get a job in IT. I have multiple articles teaching Active Directory Administration and I will link some of them below. You can also find me on LinkedIn HERE.
Links and Credits
