The LAN Manager authentication level is a Windows security setting that controls how systems use legacy authentication protocols such as LM and NTLM. While often left unchanged, improper configuration can weaken authentication security and expose environments to credential-based attacks. In modern Windows networks, this setting should be reviewed and aligned with current best practices.
What are LAN Manager Authentication Levels
LAN Manager Authentication is a legacy authentication protocol developed by Microsoft for use in older versions of Windows network operations. LAN Manager (LM) authentication level determines how Windows systems authenticate network connections. These operations include:
- Joining a domain
- Authenticating between Active Directory forests
- Authenticating to older Windows domains (pre-2000)
- Authenticating to non-Windows machines (since Windows 2000)
- Authenticating to non-domain machines
Supported Protocols
The LAN Manager Authentication supports these protocols:
- LAN Manager (LM): This is the oldest and least secure protocol. It transmits passwords in a weakly hashed format, making them vulnerable to brute-force attacks.
- NT LAN Manager (NTLM): An improvement over LM, NTLM uses a stronger hashing algorithm for passwords. However, it still has security weaknesses and is susceptible to man-in-the-middle attacks.
- NTLM v2: The most secure protocol of the three, NTLMv2 offers better protection against various attacks compared to LM and NTLM.
Network Security: LAN Manager Authentication Level Settings
The possible values for the Network security: LAN Manager authentication-level setting are:
| Levels | Clients | Servers/Domain Controllers |
|---|---|---|
| Send LM & NTLM responses | Sends LM and NTLM authentication Never use NTLMv2 session security. | Accepts LM, NTLM, and NTLMv2 authentication requests. |
| Send LM & NTLM | Sends LM and NTLM authentication, or NTLMv2 if the server supports it. | Accepts LM, NTLM, and NTLMv2 authentication requests. |
| Send NTLM responses only | Sends NTLMv2 authentication only, and NTLMv2 session security if the server supports it. | Accepts LM, NTLM, and NTLMv2 authentication requests. |
| Send NTLMv2 responses only | Sends NTLMv2 authentication only, and NTLMv2 session security if the server supports it. | Accepts LM, NTLM, and NTLMv2 authentication requests. |
| Send NTLMv2 responses only refuse LM | Sends NTLMv2 authentication only, and NTLMv2 session security if the server supports it | Accepts LM, NTLM, and NTLMv2 authentication requests, but refuses LM. |
| Send NTLMv2 responses only refuse LM & NTLM | Sends NTLMv2 authentication only, and NTLMv2 session security if the server supports it | Accepts NTLMv2 authentication requests only. Refueses LM and NTLM |
| Not Defined | ||
Still running LM or NTLMv1 somewhere on your network? You may not know it. Download our free eBook to see which legacy protocols are putting organizations at risk.
Default Authentication Configuration
These default configurations allow any client to connect and access server resources based on LM responses. Attackers could intercept this traffic and quickly figure out the user’s password.
| Windows Version | Default Configuration | Notes |
|---|---|---|
| Vista | Not Defined | |
| 95, 98, NT | Send LM only | Don’t support Kerberos 5 protocol authentication |
| 2000, 2003, XP | Send LM and NTLM authentication responses | |
| Server 2003 Domain Controllers | LM and NTLM protocols | Use these defaults to enable authentication with Windows 95, 98, and NT clients. |
In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated, it will use LM, NTLM, or NTLMv2.
Enforcing Secure Authentication
You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for earlier clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos Active Directory authentication protocol to authenticate with Windows Server 2003 domain controllers.
Configure the Network Security
We recommend this level of authentication when all clients support NTLMv2.
- Policy: Set the LAN Manager Authentication Level setting to Send NTLMv2 responses only.
- Potential Impact: Clients that do not support NTLMv2 authentication will not be able to authenticate in the domain and access domain resources by using LM and NTLM.
- Severity: Critical
To configure NTLM compatibility for Windows Vista and Windows 7:
- Click Start > All Programs > Accessories > Run and type secpol.msc in the Open box, and then click OK.
- Click Local Policies > Security Options > Network Security: LAN Manager authentication level.
- Click Send LM & NTLM – use NTLMv2 session security if negotiated.
- Click Apply.
Enforcing NTLMv2 is also a NIST requirement. If your organization follows NIST 800-53 or 800-171, this setting directly affects your compliance posture. See how NIST maps to secure server configuration.
Configuring GPO to Force NTLMv2
- Open the Group Policy Manager.
- Navigate to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
- Find the policy Network Security: LAN Manager authentication level.
Disabling NTLM v1 Authentication
You can also disable NTLMv1 authentication through the registry.
- Open the Registry Editor.
- Create a DWORD parameter called LmCompatibilityLevel.
- In the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLsa registry key.
- Set the key value to 5. This corresponds to the “Send NTLMv2 response only. Refuse LM NTLM” policy option.
Key Takeaways
- LAN Manager (LM) and NTLMv1 are insecure and should be fully disabled.
- NTLMv2 and Kerberos are the secure authentication standards for modern Windows environments.
- Configuring the Authentication Level policy is critical to enforcing secure authentication.
- Leaving LM/NTLMv1 enabled creates significant security risks.
- The best practices for configuring and enforcing authentication levels.
How CalCom Can Help
Relying on outdated protocols like LM or NTLMv1 leaves your organization exposed to credential theft, compliance failures, and advanced attacks. CalCom Hardening Solution (CHS) automates the enforcement of secure LAN Manager Authentication Level policies across your servers. By eliminating manual misconfigurations, CHS not only strengthens your security posture but also simplifies compliance audits and reduces operational overhead.
