NTLMv2 NT Authenication in NT and Win9x clients

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT SP4 introduced NTLMv2 Authentication which implements 128bit encrypted keys and provides for a method to eliminate LANMAN hashes for NT clients. LANMAN Password authenication is easy to attack since it uses upper-case letters (reducing the set from 52 to 26 letters) and limiting password length to 7 characters (effectively from a dictionary attack viewpoint). To modify Windows NT LANMAN values:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\LSA
Name: LMCompatibilityLevel
Type: REG_DWORD
Value: 5 : DC refuses LM and NTLM responses (accepts only NTLMv2)
Value: 4 : DC refuses LM responses
Value: 3 : Send NTLMv2 response only
Value: 2 : Send NTLM response only
Value: 1 : Use NTLMv2 session security if negotiated
Value: 0 : default - Send LM response and NTLM response; never use NTLMv2 session security

You MUST read KB Q147706 - How to Disable LM Authentication on Windows NT to understand compatibility issues. Its lists gotchas and implementation suggestions. SP4 added levels 3-5 and added considerable complexity. Also see Q175641 - LMCompatibilityLevel and Its Effects

For commercial networks, I suggest setting LMCompatibilityLevel to 1 on all NT workstations and servers. NTLMv2 will be used when possible and allow LANMAN compatibility for Win95, Win98, and Mac clients. In high-risk networks, set LMCompatibilityLevel to 5 - eliminiates Win9x and its weak authenication requirements. With the introduction of Windows 2000, Microsoft has provided a method to add NTLMv2 support into Win9x clients. You do this by installing and uninstalling the Directory Services Client included on the Windows 2000 CD-ROM. The installation updates the authenication components in Win9x to NTLMv2 compatibility and when the client is uninstalled, these enhanced system components remain! The steps needed to add this functionality is documented in Microsoft's kb article Q239869 (article offline 4/26/2002). With this enhancement, it is no longer necessary to have an all NT workstation environment to gain NTLMv2 authenication.

See Also

Featured Links