Hi, my company is looking to improve security in our mixed Server 2003 & Server 2008 R2 environment by protecting against pass the hash attacks. We are in the process of implementing 15-character passwords for privileged ID's, which will result in much kick back from our users. I understand that using a PW of 15+ characters breaks the LM hash algorithm. But, is there a Microsoft-provided mechanism for preventing the LM hash from being stored in memory when a shorter (14 chracters or less) password is used in conjunction with the 'NoLMHash' registry setting and the following settings applied via Domain GPO?:
- Network security: Do not store LAN Manager hash value on next password change - Enabled
- Network security: LAN Manager authentication level - Send NTLMv2 response only. Refuse LM & NTLM