pclans.com Help and Support  
HOW TO: Copy Information to a CD in Windows XP

LAN Manager authentication level

The information in this article applies to:
  • Windows XP Professional
  • Windows XP Home Edition
This article was previously published under KB 10425


How to: Network security: LAN Manager authentication level

back to the top

LAN Manager authentication level

Normally Windows 2000 and later authenticates users over the network using Kerberos but Windows will automatically fall back to the older, legacy NTLM authentication protocol whenever Kerberos fails including when:

•User is logging on with a local SAM account instead of a domain account •The client and server are not in the same forest or not in forests connected by a cross-forest trust •One of the computers is pre-Windows 2000

NTLM is a challenge/response protocol where in the authenticating server or domain controller issues a challenge which the client authenticates using the password hash as a key. NTLM has been repeatedly patched over the years to address security vulnerabilities. The oldest Windows systems can only send back the LM response originally developed in the 80s for LanManager. With NT Microsoft developed a stronger hash and response mechanism called NTLM but continued supporting LM. Vulnerabilities were found in NTLM prompting NTLMv2. For more information on NTLM see Network security: Do not store LAN Manager hash value on next password change.

These patches affect connectivity to/from older versions of Windows and this setting allows you to tweak NTLM on this computer to be strict and less compatible with older systems or more compatible but less secure. Note that the values for this setting impact how the computer handles NTLM authentication both as a client and as the authenticating server. Microsoft documentation describes how this setting affects domain controllers but the correction terminology would be authenticating server since this setting impacts both domain controllers (when authenticating a domain account) and workstations and member servers (when authenticating a local SAM account). To control how Active Directory will handle NTLM configure this setting on your domain controllers using the Default Domain Controllers Policy GPO. To control how a workstation or member server will handle NTLM when authenticating local SAM accounts or – more often – when functioning as an NTLM client, configure this setting in an applicable group policy object that is applied to the desired computers.

NTLMv2 Session Security

Another issue impacted by this policy is NTLMv2 Session Security. Session security is a feature of the NTLN SSPI that allows applications to encrypt and/or sign communication between client and server after initial authentication is complete. Session keys are not used during the actual authentication sequence, but when an application requests security by calling the EncryptMessage or SignMessage APIs. NTLMv2 Session Security protects against certain man-in-the-middle attacks by improving how the session key is generated.

This setting has impact on 2 other settings “Network security: Minimum session security for NTLM SSP based (including secure RPC) clients and Network security: Minimum session security for NTLM SSP based (including secure RPC) servers. If you require NTLMv2 Session Security in either of those settings but this setting is configured as level 0 or 1 and NTLMv2 Session Security negotiation fails, all communication via the NTLM SSPI will fail as well.

Level   Setting          Impact on computer when the NTLM client Impact on computer when the NTLM authenticating server 
0 Send LM & NTLM responses LM and NTLM response sent 
1 Send LM & NTLM - use NTLMv2 session security if negotiated LM and NTLM response sent Accepts LM, NTLM and NTLMv2 responses 
2 Send NTLM response only NTLM response only sent 
3 Send NTLMv2 response only Send NTLMv2 response only Accepts LM, NTLM and NTLMv2 responses 
4 Send NTLMv2 response only\refuse LM Send NTLMv2 response only Accepts NTLM and NTLMv2 responses only 
5 Send NTLMv2 response only\refuse LM & NTLM Send NTLMv2 response only Accepts NTLMv2 response only 

  • NOTE: How to: Network security: LAN Manager authentication level
  • back to the top
    back to the top

    Last Reviewed:12/19/2008
    Keywords: kbBackup kbhowto kbHOWTOmaster KB 10425 kbAudITPro


       ©2008 Support at pcplans.com