enable file sharing for devices that use 40- or 56bit encryption via registry

0

Is there a chance to enable file sharing for devices that use 40- or 56-bit encryption via a registry tweak? I have to enable this on a lot of of pc's and don't want to do this manually on every computer. Sadly, I can not use a gpo. I just found this setting: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Create a new DWORD value with the following properties:
NAME: LmCompatibilityLevel
VALUE: 1

But this just changes the "LAN manager authentication level". I have to change additionally the encryption from 128 to 40- or 56 bit, but how can I achieve that without the gui?

AndyB

Posted 2014-04-16T08:10:33.480

Reputation: 11

Answers

0

The registry key you are searching for is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinClientSec

Set it to 00000000 to disable 128 bit encryption. If you have a list of the hostnames of the PCs you could run a script to change the keys remotely, but this is another Exchange area...

daraos

Posted 2014-04-16T08:10:33.480

Reputation: 469

thanks for the quick reply, I 'll try that in the next few hours. I already have a good way to deploy the registry changes to a huge amount of computers, so that will not be a problem, hopefully. Is there in general a "best practice" to find these specific registry entrys? I already tried it with RegShot but the results were very confusing. – AndyB – 2014-04-16T08:55:35.967

Usually I first try to find out if someone else had the same or a similar issue and google (of course!), in this case I found this page: http://www.facetcorp.com/tnotes/facetwin/tn_fw_encrypted_win7.html. It contains the key you need. If this doesn't work, I guess the area I need to look for and log registry changes after doing it manually.

– daraos – 2014-04-16T09:17:04.670

0

File sharing encryption

By default, Windows 7 uses 128-bit encryption for file sharing connections. The GUI allows you to choose 40- or 56-bit encryption as well:

File sharing connections

By using a program like RegShot or Process Monitor you can compare the registry changes. The affected registry key is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

In particular, two values are set:

NtlmMinClientSec
NtlmMinServerSec

The valid range was 0x0 | 0x10 | 0x20 | 0x80000 | 0x20000000, at least until Windows Server 2003. As of Windows 7, when you enable the 128-bit encryption option through the GUI, both are set to 0x20000000. Otherwise they're set to 0x0.

Batch automation

Here's a sample batch script which can apply the required changes automatically. Just make sure to run it with administrator rights.

@echo off
for %%G in (Client,Server) do (
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v "NtlmMin%%GSec" /t REG_DWORD /d 0 /f >nul
)
exit /b

References

and31415

Posted 2014-04-16T08:10:33.480

Reputation: 13 382

Asked: 2014-04-16T08:10:33.480

Viewed: 2 121 times

Active: 2018-04-26T17:24:00.833