WinSecWiki > Security Settings > Local Policies > Security Options > Network Security > LAN Manager authentication level

Network security: LAN Manager authentication level

Normally Windows 2000 and later authenticates users over the network using Kerberos but Windows will automatically fall back to the older, legacy NTLM authentication protocol whenever Kerberos fails including when: 

  • User is logging on with a local SAM account instead of a domain account
  • The client and server are not in the same forest or not in forests connected by a cross-forest trust
  • One of the computers is pre-Windows 2000

NTLM is a challenge/response protocol where in the authenticating server or domain controller issues a challenge which the client authenticates using the password hash as a key. NTLM has been repeatedly patched over the years to address security vulnerabilities. The oldest Windows systems can only send back the LM response originally developed in the 80s for LanManager. With NT Microsoft developed a stronger hash and response mechanism called NTLM but continued supporting LM. Vulnerabilities were found in NTLM prompting NTLMv2. For more information on NTLM see “Network security: Do not store LAN Manager hash value on next password change”. 

These patches affect connectivity to/from older versions of Windows and this setting allows you to tweak NTLM on this computer to be strict and less compatible with older systems or more compatible but less secure. Note that the values for this setting impact how the computer handles NTLM authentication both as a client and as the authenticating server. Microsoft documentation describes how this setting affects domain controllers but the correction terminology would be authenticating server since this setting impacts both domain controllers (when authenticating a domain account) and workstations and member servers (when authenticating a local SAM account). To control how Active Directory will handle NTLM configure this setting on your domain controllers using the Default Domain Controllers Policy GPO. To control how a workstation or member server will handle NTLM when authenticating local SAM accounts or – more often – when functioning as an NTLM client, configure this setting in an applicable group policy object that is applied to the desired computers. 

NTLMv2 Session Security 

Another issue impacted by this policy is NTLMv2 Session Security. Session security is a feature of the NTLN SSPI that allows applications to encrypt and/or sign communication between client and server after initial authentication is complete. Session keys are not used during the actual authentication sequence, but when an application requests security by calling the EncryptMessage or SignMessage APIs. NTLMv2 Session Security protects against certain man-in-the-middle attacks by improving how the session key is generated. 

This setting has impact on 2 other settings “Network security: Minimum session security for NTLM SSP based (including secure RPC) clients” and “Network security: Minimum session security for NTLM SSP based (including secure RPC) servers”. If you require NTLMv2 Session Security in either of those settings but this setting is configured as level 0 or 1 and NTLMv2 Session Security negotiation fails, all communication via the NTLM SSPI will fail as well. 

When using the original NTLM protocol, the session key is based on the user’s NT “hash”. When NTLMv2 Session Security is used, the session key is based on the NT “hash” AND the client and server challenges. 

Level Setting Impact on computer when the NTLM client Impact on computer when the NTLM authenticating server
0 Send LM & NTLM responses LM and NTLM response sent
1 Send LM & NTLM - use NTLMv2 session security if negotiated LM and NTLM response sent Accepts LM, NTLM and NTLMv2 responses
2 Send NTLM response only NTLM response only sent
3 Send NTLMv2 response only Send NTLMv2 response only Accepts LM, NTLM and NTLMv2 responses
4 Send NTLMv2 response only\refuse LM Send NTLMv2 response only Accepts NTLM and NTLMv2 responses only
5 Send NTLMv2 response only\refuse LM & NTLM Send NTLMv2 response only Accepts NTLMv2 response only

Important notes on levels 1 and 2: 

  • As you can see there is no longer any difference between levels 1 and 1 on supported versions of Windows.
  • Since both levels only attempt to negotiate NTLMv2 session security, a man-in-the-middle attacker can force the systems to fall back to older versions of the protocol. Therefore only level 3 and above ensures the benefits of session security.

Excellent sources for more information on NTLM: http://davenport.sourceforge.net/ntlm.html by Eric Glass and http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/ by Jesper Johansson. 

Bottom line

Set this value to level 3 or higher unless you must support pre-Windows 2000 or non Windows computers.

Back to top

 

Upcoming Webinars
    Additional Resources