How-to: Windows LAN Manager authentication level

This setting affects how a Windows computer handles NTLM authentication both as a client and as an authenticating server.

The default level of (3) for current OS’s allows Domain Controllers to be compatible with old clients going back to Windows 2000.


Send LM & NTLM responses

Send LM & NTLM - use NTLMv2 session security if negotiated.

Send NTLM response only

Send NTLMv2 response only

Send NTLMv2 response only/refuse LM

Send NTLMv2 response only/refuse LM & NTLM

Clients Receive: LM Yes Yes No No No No
NTLM Yes Yes Yes No No No
NTLMv2 No Negotiated Negotiated Yes + Session Security Yes + Session Security Yes + Session Security

DCs accept: LM Yes Yes Yes Yes No No
NTLM Yes Yes Yes Yes Yes No
NTLMv2 Yes Yes Yes Yes Yes Yes

This level is the default for these OS’s:

Windows 2000/XP

Windows 2003

Windows 7 / 2008
and above.

Best practices are dependent on your specific security and authentication requirements.

If LMCompatibilityLevel on a server is increased to 4 or 5 for better security, any Windows XP/2000 user who tries to authenticate will experience a logon failure that has a bad password and increments the bad password count. If account lock-out is configured, the user will eventually be locked out.

Increasing the LMCompatibilityLevelabove 3 on a client will make no difference, but it can be lowered if there is a need to communicate with very old servers.

The NTLM version (0-5) is stored in the registry (as a DWORD):

or it can be set in the local Security policy (secpol.msc)
under: Local policies\Security Options\Network Security: LAN Manager Authentication level

“When a deep injury is done us, we never recover until we forgive” ~ Alan Paton

Related commands

LAN Manager authentication level -
NTLM authentication - The most misunderstood Windows security setting of all time by Jesper Johansson.
NTLM protocol - In depth detail of the protocol and related Security Support Provider (SSP ) - Eric Glass.

Copyright © 1999-2024
Some rights reserved