Pros and Cons of Disabling NTLMv1

by Mitch Tulloch [Published on 19 Aug. 2008 / Last Updated on 3 July 2008]

Is it a good idea to disable LM and NTLMv1 authentication on Windows networks and allow only NTLMv2 authentication?

You can disable NTLM v1 completely in a Windows environment by setting the registry value HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel to 5. This can also be done using Group Policy by configuring the following policy setting: Computer Configuration\Windows Settings\Security Settings\Local Polices\Security Options\Network Security: LAN Manager Authentication Level by selecting the “Send NTLMv2 response only\refuse LM & NTLM” option in the policy setting.

Now this obviously increases security for your network, but is it a good idea? Well remember: more security often means less functionality. For instance, two side effects I’ve heard of by administrators who have implemented this setting are (a) some older network appliances stop working since they rely on NTLMv1 and can’t do NTLMv2, and (b) integrated Windows authentication can fail for external users trying to access SharePoint sites. There may be other side effects as well for your environment, so be sure to test everything carefully if you plan on making this change on your network.

See Also

Featured Links