How-to: Windows LAN Manager authentication level

This setting affects how a Windows computer handles NTLM authentication both as a client and as an authenticating server.

The default level of (3) for current OS's allows Domain Controllers to be compatible with old clients going back to Windows 2000.

LMCompatibilityLevel:


0
Send LM & NTLM responses

1
Send LM & NTLM - use NTLMv2 session security if negotiated.

2
Send NTLM response only

3
Send NTLMv2 response only

4
Send NTLMv2 response only/refuse LM

5
Send NTLMv2 response only/refuse LM & NTLM

Clients Receive: LM Yes
Yes
No No
No
No

NTLM Yes
Yes
Yes
No No No
NTLMv2 No Negotiated Negotiated Yes + Session Security
Yes + Session Security Yes + Session Security

DCs accept: LM Yes
Yes Yes Yes No No

NTLM Yes
Yes
Yes
Yes
Yes
No

NTLMv2 Yes
Yes
Yes
Yes
Yes
Yes

This level is the default for these OS's:

Windows 2000/XP

Windows 2003

Windows 7 / 2008
and above.

Best practices are dependent on your specific security and authentication requirements.

If LMCompatibilityLevel on a server is increased to 4 or 5 for better security, any Windows XP/2000 user who tries to authenticate will experience a logon failure that has a bad password and increments the bad password count. If account lock-out is configured, the user will eventually be locked out.

Increasing the LMCompatibilityLevelabove 3 on a client will make no difference, but it can be lowered if there is a need to communicate with very old servers.

The NTLM version (0-5) is stored in the registry (as a DWORD):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\LMCompatibilityLevel

or it can be set in the local Security policy (secpol.msc)
under: Local policies\Security Options\Network Security: LAN Manager Authentication level

“When a deep injury is done us, we never recover until we forgive” ~ Alan Paton

Related:

LAN Manager authentication level - Docs.Microsoft.com
NTLM authentication - The most misunderstood Windows security setting of all time by Jesper Johansson.
NTLM protocol - In depth detail of the protocol and related Security Support Provider (SSP ) - Eric Glass.


 
Copyright © 1999-2020 SS64.com
Some rights reserved