Pros and Cons of Disabling NTLMv1

by Mitch Tulloch [Published on 19 Aug. 2008 / Last Updated on 3 July 2008]

Is it a good idea to disable LM and NTLMv1 authentication on Windows networks and allow only NTLMv2 authentication?

You can disable NTLM v1 completely in a Windows environment by setting the registry value HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel to 5. This can also be done using Group Policy by configuring the following policy setting: Computer Configuration\Windows Settings\Security Settings\Local Polices\Security Options\Network Security: LAN Manager Authentication Level by selecting the “Send NTLMv2 response only\refuse LM & NTLM” option in the policy setting.

Now this obviously increases security for your network, but is it a good idea? Well remember: more security often means less functionality. For instance, two side effects I’ve heard of by administrators who have implemented this setting are (a) some older network appliances stop working since they rely on NTLMv1 and can’t do NTLMv2, and (b) integrated Windows authentication can fail for external users trying to access SharePoint sites. There may be other side effects as well for your environment, so be sure to test everything carefully if you plan on making this change on your network.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links