How do I disable LanManager challenge/response in NT?

Windows NT Servers with Service Pack 4 and above support three authentication types,

By default when a client connects to a server both LM and NTLM are used in case the server does not support NTLM however LM is far weaker than NTLM so you may wish to disable LM for security reasons.

Editing the registry key described allows the client to select which authentication is will use but ensure is NTLM2 is select SP4 is applied to all servers. The setting below is required on the clients and servers so you may wish to automate this via a logon script or policy

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. From the edit menu select New - DWORD value
  4. Enter a name of LMCompatibilityLevel and press Enter
  5. Double click the new value and set to one of the following
    0 - Send LM response and NTLM response; never use NTLMv2 session security
    1 - Use NTLMv2 session security if negotiated
    2 - Send NTLM response only
    3 - Send NTLMv2 response only
    4 - DC refuses LM responses
    5 - DC refuses LM and NTLM responses (accepts only NTLMv2)
  6. Close the registry editor
  7. Reboot the machine

1st Security Agent

Mail Bomber

Security Administrator

PC Lockup

Access Lock

Access Administrator Pro

ABC Security Protector

1st Security Agent

Mail Bomber

Security Administrator for Windows

PC Lockup

Access Lock

Access Administrator

ABC Security Protector

http//www.softheap.com