LAN Manager Authentication Level Best Practices

LAN Manager Authentication Level Best Practices

4 Minutes Read Published on March 1, 2024

LAN Manager Authentication Level Explained

LAN Manager (LM) authentication level is a security setting that determines how Windows systems authenticate network connections. It is a legacy authentication protocol developed by Microsoft for use in older versions of Windows network operations. These operations include:

  • Joining a domain
  • Authenticating between Active Directory forests
  • Authenticating to older Windows domains (pre-2000)
  • Authenticating to non-Windows machines (since Windows 2000)
  • Authenticating to non-domain machines

LAN Manager Authentication Protocols

There are three main protocols involved in LAN Manager Authentication:

  • LM (Lan Manager): This is the oldest and least secure protocol. It transmits passwords in a weakly hashed format, making them vulnerable to brute-force attacks.
  • NTLM (NT LAN Manager): An improvement over LM, NTLM uses a stronger hashing algorithm for passwords. However, it still has security weaknesses and is susceptible to man-in-the-middle attacks.
  • NTLMv2 (NT LAN Manager v2): The most secure protocol of the three, NTLMv2 offers better protection against various attacks compared to LM and NTLM.

The LAN Manager Authentication Level setting allows you to choose which protocols your system will use or accept for authentication.

LAN Manager Policy Description 

LAN Manager (LM) is a family of early Microsoft client/server software products that allows users to link personal computers together on a single network. Network capabilities include transparent file and printer sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2.

Network Security: LAN Manager Authentication Level Settings

The possible values for the Network security: LAN Manager authentication-level setting are:

  1. Send LM & NTLM responses –Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
  2. Send LM & NTLM – use NTLMv2 session security if negotiated – Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
  3. Send NTLM responses only –Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
  4. Send NTLMv2 responses only –Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
  5. Send NTLMv2 responses onlyrefuse LM –Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
  6. Send NTLMv2 responses onlyrefuse LM & NTLM –Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
  7. Not Defined

Potential Vulnerability

Default configurations per operating system:

*Windows Vista – Not Defined

*Windows 95-based and Windows 98-based clients only send LM.

*Windows 2000, Windows Server 2003, and Windows XP- send LM and NTLM authentication responses.

*Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, computers authenticate by default using both the LM and NTLM protocols.

By default, these servers let any client connect and access their resources. But this setup comes with a risk: it sends LM responses, which are the least secure way to authenticate. Attackers could intercept this traffic and quickly figure out the user’s password.

You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for earlier clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos active directory authentication protocol to authenticate with Windows Server 2003 domain controllers.

NTLM v1 and NTLM v2 vs Kerberos

Countermeasures

Configure the Network security: LAN Manager Authentication Level setting to Send NTLMv2 responses only. We recommend this level of authentication when all clients support NTLMv2.

Potential Impact

Clients that do not support NTLMv2 authentication will not be able to authenticate in the domain and access domain resources by using LM and NTLM.

Severity of Setting

Critical

How to Configure

To configure NTLM compatibility for Windows Vista and Windows 7:

  1. Click Start > All Programs > Accessories > Run and type secpol.msc in the Open box, and then click OK.
  2. Click Local Policies > Security Options > Network Security: LAN Manager authentication level.
  3. Click Send LM & NTLM – use NTLMv2 session security if negotiated.
  4. Click Apply.

Configuring GPO to Force NTLMv2

Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policy Network Security: LAN Manager authentication level.

computer configuration

You can also disable NTLMv1 through the registry. To do it, create a DWORD parameter with the name LmCompatibilityLevel and the value 0-5 in the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLsa. Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.

CIS certified

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

Domain Controller: LDAP Server Signing Requirements

Domain Controller: LDAP Server Signing Requirements

April 28, 2020

LDAP signing increases security in communication between LDAP clients and Active Directory domain controllers. LDAP…

RPC Endpoint Mapper Authentication and Hardening

RPC Endpoint Mapper Authentication and Hardening

May 30, 2024

RPC Endpoint Mapper This policy setting determines if RPC clients authenticate with the Endpoint Mapper…

How to Prevent Brute Force Attacks

How to Prevent Brute Force Attacks

March 5, 2024

What is a Brute Force Attack? A brute-force attack is a trial-and-error method hackers use…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article