Disable Insecure LAN Manager Authentication
Systems must disable outdated LAN Manager and NT LAN Manager authentication to enhance security.
Plain language
This control is about turning off old, insecure ways of logging into computers and systems, known as LAN Manager and NT LAN Manager. These methods are outdated and can be easily hacked, putting your sensitive information at risk if they remain active.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
LAN Manager and NT LAN Manager authentication methods are disabled.
Why it matters
If LAN Manager/NTLM authentication remains enabled, attackers can force downgrades and capture weak hashes, enabling credential cracking and unauthorised access.
Operational notes
Verify Group Policy/security options disable LM and NTLMv1, and monitor for policy drift so legacy authentication methods are not re-enabled by updates.
Implementation tips
- The IT team should disable LAN Manager and NT LAN Manager on all systems. This can be done by accessing the system settings on each computer and choosing the option to turn off these authentication methods. Follow the guidelines provided by the software manufacturer or refer to the Australian Cyber Security Centre (ACSC) for detailed instructions.
- System owners should ensure that all team members are aware of the change and understand how to log in securely using updated methods. Host a workshop or send out a guide via email that explains the new login process and why these changes are necessary for security.
- Managers should maintain regular communication with the IT team to verify that outdated authentication is disabled on newly acquired systems. Implement a standard procedure for checking settings during the setup of any new device, ensuring these old methods are turned off from the start.
- The IT team should keep system software and anti-virus applications up to date to complement the disabling of insecure authentication. This can be achieved by scheduling regular updates and monitoring alerts from the system's software providers.
- Business leaders should involve a cybersecurity consultant to conduct an annual security review that includes checking for deactivated LAN Manager authentication, ensuring compliance with the latest industry standards and best practices.
Audit / evidence tips
- AskA system configuration report: Request documentation that shows authentication settings for all networked systems GoodIs a report indicating that both LAN Manager and NT LAN Manager are disabled
- AskRecords of IT team training sessions: Request evidence of training or communication about the changes to authentication methods GoodIs documentation showing clear communication about disabling these outdated methods
- AskA list of recently purchased devices: Request records of new systems and the setup procedures followed GoodIncludes detailed setup checklists with completed tasks
- AskThe results of a security audit: Request the latest cybersecurity audit report GoodIs a report confirming that LAN Manager is not used within the organisation
- AskA policy document on system authentication: Request to see internal policies about secure login methods GoodIncludes documented policy directions to disable insecure authentication methods across the organisation
Cross-framework mappings
How ISM-1055 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.5 | ISM-1055 requires organisations to disable insecure legacy authentication protocols (LAN Manager and NTLM variants) to reduce credential ... | |
| Annex A 8.9 | ISM-1055 requires a specific security configuration: disabling LAN Manager and NT LAN Manager authentication methods | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.