Hubbry Logo
LAN ManagerLAN ManagerMain
Open search
LAN Manager
Community hub
LAN Manager
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
LAN Manager
LAN Manager
LAN Manager
View on Wikipedia
from Wikipedia

LAN Manager
DeveloperMicrosoft, 3Com
OS familyOS/2
Working stateDiscontinued
Source modelClosed source
Initial release1987; 38 years ago (1987)
Final release2.2a / 1994; 31 years ago (1994)
Marketing targetLocal area networking
Update methodRe-installation
Package managerNone
Supported platformsx86
LicenseProprietary
Preceded byMS-Net, Xenix-NET, 3+Share
Succeeded byMicrosoft Windows NT 3.1

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

History

[edit]

The LAN Manager OS/2 operating system was co-developed by IBM and Microsoft, using the Server Message Block (SMB) protocol. It originally used SMB atop either the NetBIOS Frames (NBF) protocol or a specialized version of the Xerox Network Systems (XNS) protocol. These legacy protocols had been inherited from previous products such as MS-Net for MS-DOS, Xenix-NET for MS-Xenix, and the afore-mentioned 3+Share. A version of LAN Manager for Unix-based systems called LAN Manager/X was also available. LAN Manager/X was the basis for Digital Equipment Corporation's Pathworks product for OpenVMS, Ultrix and Tru64.[1]

Despite support from 3Com, IBM, Digital, and Digital Communications Associates, PC wrote in 1989, LAN Manager "has made a very small impression on the market and continues to receive the cold shoulder from buyers" compared to Novell NetWare. The combined companies "pose a strong potential threat", however, the magazine added.[2] In 1990, Microsoft announced LAN Manager 2.0 with a host of improvements, including support for TCP/IP as a transport protocol for SMB, using NetBIOS over TCP/IP (NBT). The last version of LAN Manager, 2.2, which included an MS-OS/2 1.31 base operating system, remained Microsoft's strategic server system until the release of Windows NT Advanced Server in 1993.[3]

Versions

[edit]
  • 1987 – MS LAN Manager 1.0 (Basic/Enhanced)
  • 1989 – MS LAN Manager 1.1
  • 1991 – MS LAN Manager 2.0
  • 1992 – MS LAN Manager 2.1
  • 1992 – MS LAN Manager 2.1a
  • 1993 – MS LAN Manager 2.2
  • 1994 – MS LAN Manager 2.2a

Many vendors shipped licensed versions, including:

Password hashing algorithm

[edit]

The LM hash is computed as follows:[4][5]

  1. The user's password is restricted to a maximum of fourteen characters.[Notes 1]
  2. The user's password is converted to uppercase.
  3. The user's password is encoded in the System OEM code page.[6]
  4. This password is NULL-padded to 14 bytes.[7]
  5. The “fixed-length” password is split into two 7-byte halves.
  6. These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream with the most significant bit first, and inserting a parity bit after every seven bits (so 1010100 becomes 10101000). This generates the 64 bits needed for a DES key. (A DES key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. The parity bits added in this step are later discarded.)
  7. Each of the two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”,[Notes 2] resulting in two 8-byte ciphertext values. The DES CipherMode should be set to ECB, and PaddingMode should be set to NONE.
  8. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

Security weaknesses

[edit]

LAN Manager authentication uses a particularly weak method of hashing a user's password known as the LM hash algorithm, stemming from the mid-1980s when viruses transmitted by floppy disks were the major concern.[8] Although it is based on DES, a well-studied block cipher, the LM hash has several weaknesses in its design.[9] This makes such hashes crackable in a matter of seconds using rainbow tables, or in a few minutes using brute force. Starting with Windows NT, it was replaced by NTLM, which is still vulnerable to rainbow tables, and brute force attacks unless long, unpredictable passwords are used, see password cracking. NTLM is used for logon with local accounts except on domain controllers since Windows Vista and later versions no longer maintain the LM hash by default.[8] Kerberos is used in Active Directory Environments.

The major weaknesses of LAN Manager authentication protocol are:[10]

  1. Password length is limited to a maximum of 14 characters chosen from the 95 ASCII printable characters.
  2. Passwords are not case sensitive. All passwords are converted into uppercase before generating the hash value. Hence LM hash treats PassWord, password, PaSsWoRd, PASSword and other similar combinations same as PASSWORD. This practice effectively reduces the LM hash key space to 69 characters.
  3. A 14-character password is broken into 7+7 characters and the hash is calculated for each half separately. This way of calculating the hash makes it dramatically easier to crack, as the attacker only needs to brute-force 7 characters twice instead of the full 14 characters. This makes the effective strength of a 14-character password equal to only , or twice that of a 7-character password, which is 3.7 trillion times less complex than the theoretical strength of a 14-character single-case password. As of 2020, a computer equipped with a high-end graphics processor (GPUs) can compute 40 billion LM-hashes per second.[11] At that rate, all 7-character passwords from the 95-character set can be tested and broken in half an hour; all 7-character alphanumeric passwords can be tested and broken in 2 seconds.
  4. If the password is 7 characters or less, then the second half of hash will always produce same constant value (0xAAD3B435B51404EE). Therefore, a password is less than or equal to 7 characters long can be identified visibly without using tools (though with high speed GPU attacks, this matters less).
  5. The hash value is sent to network servers without salting, making it susceptible to man-in-the-middle attacks such as replay the hash. Without salt, time–memory tradeoff pre-computed dictionary attacks, such as a rainbow table, are feasible. In 2003, Ophcrack, an implementation of the rainbow table technique, was published. It specifically targets the weaknesses of LM encryption, and includes pre-computed data sufficient to crack virtually all alphanumeric LM hashes in a few seconds. Many cracking tools, such as RainbowCrack, Hashcat, L0phtCrack and Cain, now incorporate similar attacks and make cracking of LM hashes fast and trivial.

Workarounds

[edit]

To address the security weaknesses inherent in LM encryption and authentication schemes, Microsoft introduced the NTLMv1 protocol in 1993 with Windows NT 3.1. For hashing, NTLM uses Unicode support, replacing LMhash=DESeach(DOSCHARSET(UPPERCASE(password)), "KGS!@#$%") by NThash=MD4(UTF-16-LE(password)), which does not require any padding or truncating that would simplify the key. On the negative side, the same DES algorithm was used with only 56-bit encryption for the subsequent authentication steps, and there is still no salting. Furthermore, Windows machines were for many years configured by default to send and accept responses derived from both the LM hash and the NTLM hash, so the use of the NTLM hash provided no additional security while the weaker hash was still present. It also took time for artificial restrictions on password length in management tools such as User Manager to be lifted.

While LAN Manager is considered obsolete and current Windows operating systems use the stronger NTLMv2 or Kerberos authentication methods, Windows systems before Windows Vista/Windows Server 2008 enabled the LAN Manager hash by default for backward compatibility with legacy LAN Manager and Windows ME or earlier clients, or legacy NetBIOS-enabled applications. It has for many years been considered good security practice to disable the compromised LM and NTLMv1 authentication protocols where they aren't needed.[12] Starting with Windows Vista and Windows Server 2008, Microsoft disabled the LM hash by default; the feature can be enabled for local accounts via a security policy setting, and for Active Directory accounts by applying the same setting via domain Group Policy. The same method can be used to turn the feature off in Windows 2000, Windows XP and NT.[12] Users can also prevent a LM hash from being generated for their own password by using a password at least fifteen characters in length.[7]—NTLM hashes have in turn become vulnerable in recent years to various attacks that effectively make them as weak today as LanMan hashes were back in 1998.[citation needed]

Reasons for continued use of LM hash

[edit]

Many legacy third party SMB implementations have taken considerable time to add support for the stronger protocols that Microsoft has created to replace LM hashing because the open source communities supporting these libraries first had to reverse engineer the newer protocols—Samba took 5 years to add NTLMv2 support, while JCIFS took 10 years.

Availability of NTLM protocols to replace LM authentication
Product NTLMv1 support NTLMv2 support
Windows NT 3.1 RTM (1993) Not supported
Windows NT 3.5 RTM (1994) Not supported
Windows NT 3.51 RTM (1995) Not supported
Windows NT 4 RTM (1996) Service Pack 4[13] (October 25, 1998)
Windows 95 Not supported Directory services client (released with Windows 2000 Server, February 17, 2000)
Windows 98 RTM Directory services client (released with Windows 2000 Server, February 17, 2000)
Windows 2000 RTM (February 17, 2000) RTM (February 17, 2000)
Windows Me RTM (September 14, 2000) Directory services client (released with Windows 2000 Server, February 17, 2000)
Samba ? Version 3.0[14] (September 24, 2003)
JCIFS Not supported Version 1.3.0 (October 25, 2008)[15]
IBM AIX (SMBFS) 5.3 (2004)[16] Not supported as of v7.1[17]

Poor patching regimes subsequent to software releases supporting the feature becoming available have contributed to some organisations continuing to use LM Hashing in their environments, even though the protocol is easily disabled in Active Directory itself.

Lastly, prior to the release of Windows Vista, many unattended build processes still used a DOS boot disk (instead of Windows PE) to start the installation of Windows using WINNT.EXE, something that requires LM hashing to be enabled for the legacy LAN Manager networking stack to work.

See also

[edit]

Notes

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

LAN Manager

View on Grokipedia
from Grokipedia
LAN Manager is a developed by for the operating system, first released in 1987, that enabled file and printer sharing, user authentication, and domain management across local area networks using the () protocol. Developed in collaboration with , LAN Manager originated as an OEM product licensed to third-party vendors such as , Nokia Data Systems, and Ungermann-Bass, building on earlier Microsoft networking technologies like MS-NET and XENIX-NET. It was introduced as a competitor to , supporting both DOS and clients with configurable protocol stacks including NetBEUI and TCP/IP, and compatibility with various network interface cards from vendors like and . Key versions include LAN Manager 1.0 (Basic and Enhanced editions) in 1987, 1.1 in 1989, 2.0 in 1991, 2.1 in 1992, 2.2 in 1993, and 2.2c (client version) in late 1994, with OEM variants like HP LAN Manager/X for UNIX systems such as . The system utilized a protocol manager for handling MAC and protocol drivers, including , and integrated with features like the High-Performance File System (HPFS386) for 32-bit storage management. LAN Manager played a pivotal role in Microsoft's early enterprise networking strategy, co-developed with IBM as part of OS/2 Extended Edition, and its authentication mechanisms evolved into the NT LAN Manager (NTLM) protocol introduced with Windows NT 3.1 in 1993. It supported remote booting, SQL Server integration, and domain-based user and resource management, influencing subsequent Windows Server technologies.

Introduction

Overview

LAN Manager is a (NOS) developed by in cooperation with Corporation and announced in 1987, first released in 1988 for the operating system, designed to enable file, printer, and resource sharing over local area networks (LANs). It provided a client-server that allowed multiple users to access shared resources transparently, supporting both OS/2 servers and clients while facilitating centralized management of network services. Primarily targeted at small to medium-sized business networks, LAN Manager integrated seamlessly with and clients, enabling cost-effective deployment in workgroup environments without requiring dedicated hardware for every user. This made it suitable for environments needing straightforward resource sharing, such as office file servers and print queues, while offering user-level and share-level security to control access. At its core, LAN Manager was built on the (SMB) protocol, ensuring backward compatibility with earlier Microsoft networking products like MS-NET and allowing interoperability across diverse systems via and other transports. Initially positioned as a direct competitor to , it emphasized support for multi-vendor hardware, including adapters from , , and , to broaden adoption in heterogeneous LAN setups. It later transitioned into the networking foundation for as 's successor platform.

Historical Significance

In the late 1980s, the rapid emergence of PC-based local area networks (LANs) revolutionized business computing by facilitating resource sharing, such as files and printers, across affordable personal computers connected via Ethernet or Token-Ring technologies. This shift was driven by falling hardware costs and the need for distributed processing in enterprises, with global LAN product sales surpassing $5 billion in 1989 and projected to double by the mid-1990s. Amid this growth, competition intensified among network operating systems, where Novell's established dominance with over 70% market share by the early 1990s, far outpacing rivals like and Microsoft's . Microsoft's LAN Manager, announced in 1987 in partnership with for and first released in 1988, marked the company's ambitious push into enterprise networking but encountered limited commercial adoption. Bundled with later iterations like version 2.1 alongside MS OS/2 1.3, it captured only about 8% of the market by 1991, hindered by NetWare's superior performance, broader vendor ecosystem, and established reliability in PC environments. Despite these challenges, LAN Manager's integration with positioned it as a foundational tool for early multiserver setups, though it remained a niche player overshadowed by NetWare's commanding presence. LAN Manager's enduring influence within the Microsoft ecosystem stemmed from its implementation of the (SMB) protocol atop , which standardized file and print sharing for OS/2-based networks and set the stage for broader adoption. This architecture directly informed Windows NT's networking stack, where SMB was ported alongside components like named pipes originally developed for LAN Manager, enabling seamless evolution toward integrated enterprise solutions. These advancements contributed to the foundations of by embedding SMB as a core mechanism for domain-based resource access in subsequent Windows releases. The product's long-term legacy lies in pioneering client-server models that made networked computing accessible to mainstream businesses, fostering the shift from standalone PCs to interconnected environments. Although deprecated, remnants of LAN Manager's SMB framework persist in modern Windows implementations, supporting and file-sharing protocols essential to contemporary enterprise networking. For instance, LAN Manager 2.0's addition of TCP/IP support in 1990 briefly enhanced its cross-protocol viability before Microsoft's pivot to NT.

Development and History

Origins and Partnerships

LAN Manager originated as a collaborative effort between and Corporation, initiated in 1987 to create an advanced . This built upon 3Com's existing networking expertise, particularly leveraging their 3Server hardware—a dedicated server platform introduced earlier in the mid-1980s for running network services like the 3+Share software. The joint development aimed to produce a robust solution for enterprise networking, with 3Com serving as a key original equipment manufacturer (OEM) for early distributions. It was licensed to additional third-party vendors including , Nokia Data Systems, and Ungermann-Bass. The system was specifically designed for IBM's operating system, with 1.0 released in December 1987, as an extension of Microsoft's earlier MS-NET product from 1984. MS-NET had provided basic networking for environments but was limited to single-user workstations without centralized management. LAN Manager advanced this by introducing multi-user server capabilities on , enabling scalable file and print sharing in larger workgroups. This integration with stemmed from the close collaboration between and , who co-developed the OS/2 platform, ensuring seamless compatibility for business applications. Partnerships expanded beyond the initial Microsoft-3Com alliance to include for deeper integration and (DEC) for DECnet compatibility, facilitating across diverse hardware and protocols. Additional collaborations with hardware vendors ensured broad support for Ethernet and other LAN technologies, allowing LAN Manager to run on various server platforms without proprietary lock-in. These alliances were crucial for achieving hardware in heterogeneous environments. The primary motivations for LAN Manager's development were to overcome the constraints of single-user networking, such as limited and lack of centralized control in MS-NET. By introducing domain-based administration and dedicated server roles, it enabled efficient of multiple users and resources, positioning it as a direct competitor to Novell in enterprise settings. This shift toward server-centric architecture addressed the growing demand for reliable, multi-user LANs in professional environments.

Versions and Evolution

Microsoft LAN Manager 1.0 was initially released in October 1987 as an OEM product, providing basic support for SMB over protocols and targeting environments for file and print sharing. Developed in partnership with , this version focused on local area networking for workstations and servers, with early implementations like 3Com's 3+Open appearing in 1988. In 1989, LAN Manager 1.1 enhanced integration with 1.1, introducing improved client support for both DOS and systems while retaining as the primary transport. This update emphasized better multi-protocol handling, including (XNS) compatibility, to broaden in heterogeneous networks. The major evolution came with in 1990, which added TCP/IP stack support via Microsoft TCP/IP-32, shifting from reliance on XNS and toward broader internetworking compatibility. This release also introduced domain controllers for centralized user and resource management, marking a step toward scalable enterprise networking on 1.21. Subsequent updates, including 2.1 in November 1991 and 2.1a in August 1992, focused on performance optimizations and bug fixes to enhance reliability in server environments. By 1993, LAN Manager 2.2 extended support to Windows clients, incorporating MS-OS/2 1.31 as the base OS and further refining TCP/IP integration for mixed-platform deployments. The final update, 2.2a in 1994, delivered additional bug fixes and stability improvements, primarily for MS-DOS workstations via LAN Manager for MS-DOS. Platform expansions during this period included ports to MS-DOS for client use and a UNIX variant, LAN Manager/X, developed with 3Com for System V environments to enable cross-OS file sharing. Development of LAN Manager ceased after the 2.2a release in 1994, with mainstream support ending by 1996 as —released in 1993—assumed the role of Microsoft's primary , incorporating evolved authentication like .

Technical Architecture

Networking Protocols

LAN Manager primarily utilized the (SMB) protocol layered over Frames (NBF) to handle session management and data transfer across the network. This combination enabled reliable communication for file and printer sharing in early client-server environments, with SMB providing the application-layer semantics and NBF encapsulating NetBIOS datagrams over Ethernet or other LAN media. In its initial version 1.0, LAN Manager supported alternative protocol stacks, including a specialized implementation of the (XNS) protocol suite for transport, which allowed compatibility with Xerox-based networks alongside the standard option. Starting with , enhancements introduced TCP/IP integration, supporting NetBEUI (NetBIOS Extended User Interface) as an intermediary for over TCP/IP or direct IP transport for SMB sessions, broadening interoperability with IP-based infrastructures. Key protocol features included opportunistic locking (oplocks) within SMB, which permitted clients to cache file data locally for improved performance in single-user scenarios while coordinating with the server to break locks if conflicts arose. The redirector architecture facilitated client-server interactions by intercepting calls and routing them transparently over , abstracting remote resources as local drives. Name resolution relied on broadcast-based mechanisms, where clients sent broadcasts to discover servers by name on the local segment. For physical layer interoperability, LAN Manager was designed to operate over both Ethernet and networks, leveraging the Network Driver Interface Specification (NDIS) for modular driver support that enabled third-party network interface cards without kernel modifications. This API-driven approach ensured adaptability to diverse hardware while maintaining consistent upper-layer protocol behavior.

Core Services

LAN Manager provided essential services for resource sharing and management in enterprise environments, enabling centralized control over files, printers, and user access across interconnected workstations. These core services were built on the platform and facilitated seamless integration for multi-user operations, supporting up to 255 concurrent users per server through configurable limits. The file services in LAN Manager offered a hierarchical file system based on the High-Performance File System (HPFS386), a 32-bit structure with enhanced caching for efficient data handling and support for long filenames. Access to shared resources was managed through access control lists (ACLs), which allowed administrators to define granular permissions such as read (R), write (W), create (C), execute (X), delete (D), alter permissions (A), and take ownership (P) for directories and files, with inherited permissions propagating down the hierarchy. For redundancy, the system included volume shadowing capabilities via and duplexing, ensuring data availability in case of hardware failures. These services were delivered primarily over the (SMB) protocol for transparent file operations. Print services featured a centralized spooler with robust queue management, allowing multiple queues per printer to handle jobs with varying priorities, including options to hold, release, delete, and monitor status for efficient workflow control. Administrators could configure form types and enable automatic font downloads for compatibility with PostScript and LaserJet printers, while raw data redirection supported non-standard devices through network ports like LPT1-LPT3. This setup enabled shared printing across domains, reducing the need for local attachments and streamlining output in networked offices. Administrative tools in LAN Manager centered on domain-based user account management, where primary and backup domain controllers maintained centralized and group policies to enforce settings like password expiration rules and access restrictions. User and group accounts were created and overseen via command-line utilities, such as the NET commands (e.g., NET USER for account creation, NET GROUP for membership), which also supported server monitoring through real-time status displays and performance metrics. Additional monitoring included integration with uninterruptible power supplies (UPS) for alert notifications and tools like NET WHO to track active users, providing administrators with comprehensive oversight without graphical interfaces in early versions. Client integration was achieved through redirectors in the Workstation service, which enabled and workstations to access shared resources transparently as if they were local drives or ports, using commands like NET USE to map network paths (e.g., \\server\share to a drive letter). This supported both enhanced and basic redirector modes for compatibility with diskless workstations, allowing boot-up and operation without local storage while maintaining full access to file and print services.

Authentication System

Password Hashing Algorithm

The LAN Manager (LM) password hashing algorithm processes user passwords to generate a 16-byte hash value used for authentication in network environments. The input password is first converted to uppercase letters to ensure case-insensitivity, then truncated to a maximum of 14 characters if longer or padded with null bytes (0x00) if shorter, resulting in exactly 14 bytes. This 14-byte value is subsequently split into two 7-byte halves, with each half serving as the basis for a DES key derivation. Hash generation employs the (DES) algorithm in Electronic Codebook (ECB) mode without salting, iteration, or additional enhancements. Each 7-byte half is expanded into a 64-bit DES key by selecting 56 data bits (skipping every eighth bit for parity adjustment) and appending 8 parity bits. These two DES keys are then used to encrypt the fixed 8-byte string "KGS!@#$%" (ASCII values: 0x4B 0x47 0x53 0x21 0x40 0x23 0x24 0x25), producing two 8-byte blocks. The LM hash is the of these blocks, yielding a 16-byte output. This process can be formally expressed as: \text{LM}(P) = \text{DES}(K_1, \, \text{"KGS!@\$%"} ) \, \| \, \text{DES}(K_2, \, \text{"KGS!@\$%"} ) where PP is the processed 14-byte password, K1K_1 and K2K_2 are the 64-bit DES keys derived from the first and second 7-byte halves, respectively, \| denotes concatenation, and DES operates as a single encryption without padding modifications. The resulting 16-byte LM hash is stored in the local Security Accounts Manager (SAM) database alongside the stronger NT hash for backward compatibility in Windows systems. In the Server Message Block (SMB) protocol, this hash facilitates challenge-response authentication: the server generates and sends an 8-byte random challenge to the client, which derives three DES keys from the LM hash (appended with five null bytes) to encrypt the challenge, producing a 24-byte response sent back for server verification. This design, while simple, introduces vulnerabilities due to its weak cryptographic properties, such as the lack of salting.

Security Vulnerabilities

One of the primary flaws in LAN Manager's authentication system stems from its handling of passwords, which are converted to uppercase, rendering the mechanism case-insensitive and significantly reducing the complexity of potential passwords. Additionally, passwords are limited to a maximum of 14 characters, padded with null bytes if shorter, and then split into two independent 7-character halves for processing. This design choice drastically shrinks the effective keyspace for brute-force attacks to approximately 2^43 possibilities per half (total effective keyspace of about 2^44 for the full hash), as each half can be attacked separately using the limited character set of about 69 possibilities per position (uppercase letters A–Z, digits 0–9, and 33 common symbols). The encryption employed in LAN Manager hashing further exacerbates these vulnerabilities by relying on a single pass of the Data Encryption Standard (DES) algorithm for each password half, producing an 8-byte ciphertext per segment that is concatenated into a 16-byte hash. This weak cryptographic primitive, combined with the absence of salting, makes the hashes susceptible to efficient brute-force attacks; modern graphics processing units (GPUs) can exhaust the reduced keyspace and crack a full LM hash in mere minutes or even seconds for simpler passwords. Moreover, the lack of salt enables the use of precomputed rainbow tables, such as those distributed by Ophcrack, which store mappings of hashes to plaintexts and can recover most LM hashes almost instantaneously due to the deterministic nature of unsalted DES. Transmission of authentication data in LAN Manager introduces additional risks, as the challenge-response exchanges (including the 24-byte LM response derived from the LM hash) are sent over the network without additional encryption, allowing interception via packet sniffing. This exposure facilitates pass-the-hash attacks, where captured LM hashes (typically extracted from memory or storage) can be used to compute responses and authenticate to other systems without deriving the original password, bypassing standard credential checks in compatible environments. Furthermore, the protocol's reliance on broadcast-based discovery mechanisms, such as over TCP/IP, broadcasts session announcements across local networks, potentially revealing active LM-authenticated sessions to eavesdroppers and aiding in targeted exploitation. Historical exploits underscore the long-standing exploitability of these flaws, with tools like —released in 1997 by the Heavy Industries group—demonstrating the ability to rapidly crack LM hashes extracted from network captures or system dumps using dictionary and brute-force methods, often recovering passwords in minutes on contemporary hardware. These weaknesses persisted in implementations beyond systems, notably in the open-source project, where support for LM hashing continued in legacy configurations until the adoption of NTLMv2 as the default around 2007, when efforts to disable weak lanman hash generation by default were formalized.

Mitigation and Legacy

Workarounds and Improvements

To address the security weaknesses inherent in LAN Manager's authentication mechanisms, administrators could enforce password policies requiring at least 15 characters, which prevents the generation of an LM hash altogether by producing a null value instead. This approach leverages the limitation of LM hashing, which truncates passwords to 14 uppercase characters, ensuring that longer passphrases bypass the vulnerable DES-based computation entirely. Evolutionary upgrades to the protocol provided more robust alternatives, starting with the transition to NTLMv1 in 1993, which replaced LM's weak DES encryption with hashing and supported for broader character compatibility. Further improvements came with NTLMv2 in 1997, incorporating HMAC-MD5 for enhanced integrity and to mitigate risks like replay attacks. By , introduced full Kerberos support as the preferred protocol, offering ticket-based authentication with stronger cryptographic protections. These changes were prompted by legacy vulnerabilities in LM that exposed passwords to offline cracking. Configuration options allowed fine-grained control over LM usage, such as setting the registry key NoLMHash=1 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa starting with to prevent storage of LM hashes on password changes. Additionally, settings for Network security: LAN Manager authentication level provided escalation from level 0 (allowing LM, NTLM, and NTLMv2) to level 5 (NTLMv2 only, rejecting LM and NTLMv1), with levels 3 and above explicitly denying LM responses. In modern environments, LM hashing was disabled by default in and released in 2007, eliminating its storage without manual intervention. Further deprecation progressed with stricter enforcement in from 2021 onward, culminating in its effective removal from active support, and Security Technical Implementation Guides (STIGs) mandating its disablement as of 2025 to align with compliance standards.

Reasons for Continued Relevance

Despite its well-documented security weaknesses, the LAN Manager (LM) hash persists in limited environments primarily due to legacy compatibility requirements with pre-2000 operating systems. Systems such as and early versions of relied on LM authentication for network access, as these platforms did not natively support stronger protocols like NTLMv2 without 4, released in 1997. Similarly, implementations, which enable cross-platform file sharing, initially lacked robust NTLMv2 support; full integration for NTLMv2 was not achieved until Samba 3.0 in 2003, with broader adoption and default configurations lagging into the mid-2000s. This compatibility necessity forces some organizations to retain LM hash support to interoperate with archived hardware or software from that era. Implementation inertia further contributes to the ongoing presence of LM elements, particularly in unpatched embedded devices, outdated build processes, and air-gapped networks. Many industrial control systems and legacy embedded hardware, often running unmodified derivatives, remain unpatched due to the risks of disrupting critical operations, preserving LM hashing as the default method. Build environments that still depend on DOS-based floppies for legacy —common in sectors like and defense—avoid upgrades to prevent compatibility breaks, inadvertently maintaining LM vulnerabilities. In air-gapped networks, isolated from threats, administrators may forgo modernizations under the assumption of inherent security, though this overlooks internal risks like insider threats or physical access attacks that could exploit weak LM hashes. Economic factors exacerbate this persistence, especially for small and medium-sized enterprises (SMEs), where the cost of migrating from LM-dependent systems can be prohibitive. Upgrading legacy infrastructure involves significant expenses for hardware replacement, software reconfiguration, and staff training, compounded by potential downtime in revenue-critical operations. Isolated networks without exposure foster a false sense of security, delaying investments in alternatives like Kerberos, as the perceived low risk does not justify immediate expenditure. As of 2025, LM hash usage is rare but endures in niche contexts such as archival storage systems and investigations, where historical requires preserving original authentication artifacts for analysis. ’s guidance under its Zero Trust framework strongly advocates phasing out protocols, including LM, entirely, emphasizing continuous verification and least-privilege access to mitigate risks in modern hybrid environments. With NTLMv1 removal in version 24H2 and 2025, organizations are urged to audit and eliminate LM remnants to align with these security imperatives.

References

  1. https://www.edm2.com/index.php/LAN_Manager
  2. http://www.os2museum.com/wp/early-microsoft-networks/
  3. https://www.landley.net/history/mirror/os2/history/os2ee/index.html
  4. https://siliconangle.com/2023/10/13/time-put-end-ntlm-network-authentication-protocol/
  5. https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848
  6. https://www.computerhistory.org/collections/catalog/102769967
  7. https://www.os2museum.com/wp/1989-networking-3open-lan-manager-1-1/
  8. http://bitsavers.informatik.uni-stuttgart.de/communications/3Com/3%2BOpen/4701-01_3%2BOpen_MS_OS2_LAN_Manager_Administrator_Guide_Jan89.pdf
  9. https://www.fundinguniverse.com/company-histories/3com-corporation-history/
  10. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4
  11. http://www.bitsavers.org/pdf/datapro/Datapro_Reports_on_PC_and_LAN_Communications_1992/Vol1_520.pdf
  12. https://www.networkworld.com/article/716525/data-center-novell-through-the-years.html
  13. https://www.os2museum.com/wp/1990-networking-lan-manager-2-0/
  14. https://blog.fosketts.net/2012/03/22/lan-manager-smb-cifs-history/
  15. https://www.itprotoday.com/it-infrastructure/inside-nt-networking
  16. https://dosdays.co.uk/topics/networking_in_dos.php
  17. https://blog.fosketts.net/2007/06/25/storage-history-the-3server/
  18. https://help.fdos.org/en/hhstndrd/network/history.htm
  19. https://www.os2museum.com/wp/os2-history/os2-timeline/
  20. https://ftp.zx.net.nz/pub/archive/ftp.digital.com/pub/digital/DECinfo/.3/whitepaper/PATHWORKS_for_OpenVMS_V5_Integ_19may1997LI01Q1PF.pdf
  21. https://www.computerworld.com/article/1458899/3com-one-of-the-longest-running-shows-in-networking.html
  22. https://bitsavers.org/pdf/dec/decnet/pathworks_DOS/AA-PHH1A-TK_Pathworks_for_DOS_Microsoft_LAN_Manager_Users_Guide_for_MS-DOS_1990.pdf
  23. http://www.os2museum.com/wp/microsoft-os2-1-3-but-which-one/
  24. https://winworldpc.com/product/lan-manager/2x
  25. https://libdowndefworl1971.mystrikingly.com/blog/microsoft-lan-manager
  26. https://ldapwiki.com/wiki/Wiki.jsp?page=LAN%20Manager
  27. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/760f8b7f-9a8a-4f0c-a044-1501a83a933b
  28. http://bitsavers.informatik.uni-stuttgart.de/communications/3Com/3%2BOpen/4695-02_3%2BOpen_LAN_Manager_Installation_and_Setup_Guide_Aug89.pdf
  29. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/80850595-e301-4464-9745-58e4945eb99b
  30. https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/network-redirector-design-in-windows-2000
  31. https://bitsavers.org/communications/3Com/6406-00_Lan_Manager_NDIS_1.0.2_Preliminary_Jan89.pdf
  32. http://bitsavers.trailing-edge.com/pdf/datapro/Datapro_Reports_on_PC_and_LAN_Communications_1992/Vol3_810.pdf
  33. http://web.mit.edu/darwin/src/modules/samba/docs/htmldocs/ENCRYPTION.html
  34. https://passlib.readthedocs.io/en/stable/lib/passlib.hash.lmhash.html
  35. https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
  36. https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-authentication
  37. https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly
  38. https://www.dionach.com/active-directory-password-auditing-part-2-cracking-the-hashes/
  39. https://ophcrack.sourceforge.net/tables.php
  40. https://www.vaadata.com/blog/understanding-ntlm-authentication-and-ntlm-relay-attacks/
  41. https://insecure.org/sploits/l0phtcrack.lanman.problems.html
  42. https://bugs.launchpad.net/bugs/163194
  43. https://learn.microsoft.com/en-us/windows-server/security/kerberos/passwords-technical-overview
  44. https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
  45. https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication
  46. https://learn.microsoft.com/en-us/services-hub/unified/health/remediation-steps-ad/prevent-storage-of-lan-manager-password-hashes
  47. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
  48. https://stigviewer.com/stigs/microsoft_windows_11/2025-05-15/finding/V-253461
  49. https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73
  50. https://www.samba.org/samba/history/samba-3.0.0.html
  51. https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
  52. https://hackaday.com/2019/09/30/the-legacy-of-the-floppy-still-looms-over-windows/
  53. https://www.ericsson.com/en/blog/2024/10/why-air-gap-strategies-are-essential-for-your-network-security
  54. https://www.silverfort.com/blog/understanding-the-security-risks-of-ntlm/
  55. https://blog.elcomsoft.com/2022/08/breaking-windows-passwords-lm-ntlm-dcc-and-windows-hello-pin-compared/
  56. https://www.microsoft.com/en-us/security/blog/2025/05/15/how-the-microsoft-secure-future-initiative-brings-zero-trust-to-life/
  57. https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.