Networking / Beginners

LAN Manager Authentication Level

LAN Manager authentication is an authentication system that allows Windows 2000 servers to work with Windows 95 and Windows 98 clients (as well as Windows for Workgroups). LAN Manager authentication schemes are significantly weaker than the NTor Windows 2000 authentication systems (calledNTLMv2) and thus may allow an intruder to perform a brute-force attack on the encrypted passwords using much less computing power. To force the use of NTLM v2 authentication, use the following settings:

  1. Select the LAN Manager Authentication Level policy setting.
  2. Select the appropriate level from the pull-down menu.

The value you set depends upon your environment. There are six levels defined as:

  • Send LM and NTLM Responses-This is the default level. Send both LAN Manager and NTLM responses. The system will never use NTLM v2 session security.
  • Send LM and NTLM, Use NTLM v2 If Negotiated.
  • Send NTLM Response Only.
  • Send NTLM v2 Response Only.
  • Send NTLM v2 Response Only, Refuse LM.
  • Send NTLM v2 Response Only, Refuse LM and NTLM.

NOTE: Before making the change to this policy setting, determine the operating requirements for your network. If you have Windows 95 or Windows 98 clients on your network, you must allow LAN Manager responses.

Additional Restrictions for Anonymous Connections

This policy setting allows the administrator to define what is allowed via an anonymous connection. The three choices are

  • None, Rely On Default Permissions
  • Do Not Allow Enumeration of SAM Accounts and Shares
  • No Access Without Explicit Anonymous Permissions

These settings can prevent null user sessions from gaining information about users on a system.

[Previous] [Contents] [Next]