NTLMv2 NT Authenication

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT SP4 introduced NTLMv2 Authentication which implements 128bit encrypted keys and provides for a method to eliminate LANMAN hashes for NT clients. LANMAN Password authenication is easy to attack since it uses upper-case letters (reducing the set from 52 to 26 letters) and limiting password length to 7 characters (effectively from a dictionary attack viewpoint). To modify LANMAN values:

Key: SYSTEM\CurrentControlSet\Control\LSA
Name: LMCompatibilityLevel
Value: 5 : DC refuses LM and NTLM responses (accepts only NTLMv2)
Value: 4 : DC refuses LM responses
Value: 3 : Send NTLMv2 response only
Value: 2 : Send NTLM response only
Value: 1 : Use NTLMv2 session security if negotiated
Value: 0 : default - Send LM response and NTLM response; never use NTLMv2 session security

You MUST read KB Q147706 - How to Disable LM Authentication on Windows NT to understand compatibility issues. Its lists gotchas and implementation suggestions. SP4 added levels 3-5 and added considerable complexity. Also see Q175641 - LMCompatibilityLevel and Its Effects

For commercial networks, I suggest setting LMCompatibilityLevel to 1 on all NT workstations and servers. NTLMv2 will be used when possible and allow LANMAN compatibility for Win9x and Mac clients. In high-risk networks, set LMCompatibilityLevel to 5 - eliminiates Win9x and its weak authenication requirements.

Featured Links