Wow, I've been digging into the LAN Manager settings and how things are used in recent versions of Windows (2000, 2003, XP & 2008). There's a lot of bad information out there!
I'll pick today on the NoLMHash settings since I've been looking at Windows 2000 today.
First, if I just google "nolmhash" I get the following links in the top 3:
How to prevent Windows from storing a LAN manager hash of your ...
- 4 visits - 9:56am
Method 2: Implement the NoLMHash Policy by Editing the Registry ... Important The NoLMHash registry key and its functionality were not tested or documented ...
support.microsoft.com/kb/299656 - Similar pages - Note this
NoLMHash
NoLMHash. HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Data type, Range, Default value. REG_DWORD. 0 | 1. 0. Description. Determines whether Security Accounts ...
www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/96415.mspx - 7k - Cached - Similar pages - Note this
NoLMHash
NoLMHash. Updated: March 28, 2003. NoLMHash. HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Data type, Range, Default value. REG_DWORD. 0 | 1. 0. Description ...
technet2.microsoft.com/windowsserver/en/library/008f982b-a1b0-4a73-a781-d46a49f8498a1033.mspx - 8k - Cached - Similar pages - Note this
Pasted from <http://www.google.com/search?q=nolmhash&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a>
The last two are resource kit references for Windows Server 2000 and 2003 respectively. Both show the same information, specifically that NoLMHash is a dword value.
NoLMHash
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Data type | Range | Default value |
REG_DWORD | 0 | 1 | 0 |
Description
Determines whether Security Accounts Manager (SAM) stores the LAN Manager (LM) hash of the user's password. The LM hash of the user's password is necessary to authenticate downlevel clients that cannot use NTLM or NTLMv2 authentication.
Value | Meaning |
0 | SAM stores the message digest of the user's password. |
1 | SAM does not store the message digest of the user's password. |
Pasted from <http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/96415.mspx>
Great you say…. But, if you look at the first referenced returned by google, you get the following information for configuring the NoLMHash Policy on Windows 2000.
Step 3. On the Edit menu, click Add Key, type NoLMHash, and then press ENTER.
Pasted from <http://support.microsoft.com/kb/299656>
Hey it’s a Key!!!! There is an note that says its ok for the Key and Value to exist in the same policy template.
So for Windows 2003 & XP it’s a dword value…. On Windows 2000 it might be a key!
This week I'll be testing the following to see MS actually does with these values.
1. Windows 2000 - NoLMHash Key verses value
2. Windows 2000 - Does an upgrade convert the Key to a value.
3. Windows 2003/XP - Does implementing using group policy take immediate effect without requiring a reboot (KB299656 seems to indicate that).
4. Impact on LM Hash History - KB299656 says that Windows 2000 the history will be removed as you change passwords. For Windows 2003 & XP the history is cleared when you complete the steps for editing the registry. No indication is giving of the impact on the LM Hash history when using Group Policy.