All of the computers in our domain are running Windows XP/Server 2003 and above (with one exception, a Win2Ksp4 server, which is not a domain controller). I intend to disable the LM hashes via group policy as indicated in KB299656, and want to ensure that there won't be any unforseen problems or side-effects. Does anyone have experience with performing this change? Are there any caveats that I should keep in mind?
Asked
Active
Viewed 1,481 times
2 Answers
1
One caveat kept us from doing just this for a really long time: Old Samba versions.
We had some older Solaris servers about that weren't new enough to have the version of Samba that had NTLM support. I no longer work there, but I believe all of those have finally been retired.
Samba added NTLM support a long, long time ago, and even NTLMv2 support is pretty long in the tooth by now. If you're still running some Samba servers older than v3.0, take a close look at the exact version to be sure that it can handle NTLM.
On our "turn off LM" checklist, "Upgrade Old Samba versions" was the last thing to be cleared.
If you don't have any, then removing LM is strongly indicated. Encouraged even! Everything modern speaks NTLM.
sysadmin1138
- 133,124
- 18
- 176
- 300
-
What other items were on your checklist, if I may ask? – Bigbio2002 Jul 11 '11 at 21:01
