Networking / Beginners

Networking LAN Manager Authentication Level

LMCompatibilityLevel, or "Network security: LAN Manager authentication level" as it is called in Group Policy on Windows XP and higher (it is called "LAN Manager authentication level" on Windows 2000), governs the authentication protocols a system is allowed to use and accept. We recommend that it be set to at least 4 or "Send NTLMv2 response only\refuse LM" on all systems. When you do so, you will break access to and from Windows 9x systems as well as some versions of SAMBA.

It is important to recognize that even with LAN Manager authentication level configured to 4, the system will still emit LM and NTLM responses in certain cases; for instance, with programs that use the NTLM Security Support Provider (SSP) directly, such as RPC. To prevent this, you need to configure the "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients/servers" settings. These settings govern the protocols used by the SSP. There are four combinations of settings.

  1. Require message integrity
  2. Require message confidentiality
  3. Require NTLMv2 session security
  4. Require 128-bit encryption

To use NTLMv2, you need to select at least option 3. In addition, if you turn off storage of LM hashes, you must select options 1, 2 and 3 to allow RPC authentication over UDP to function properly. Services that use such authentication include the Windows Clustering Service. If you simply disable LM hash storage, you may break your clusters unless you also configure the NTLM SSP client-side settings. We recommend setting the NTLM SSP client to require message integrity, confidentiality, as well as NTLMv2. Use 128-bit encryption at your discretion, but most applications will use that anyway. Configuring this setting will only break applications that are specifically coded not to allow use of NTLMv2.

[Previous] [Contents] [Next]

In this tutorial:

  1. Protecting Hosts
  2. Security Configuration Myths
  3. Myth 1: Security Guides Make Your System Secure
  4. Myth 2: If We Hide It, they Not Find It
  5. Myth 3: The More Tweaks, the Better
  6. Myth 4: Tweaks Are Necessary
  7. Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
  8. Myth 6: "High Security" Is an End Goal for All Environments
  9. Myth 7: Start Securing Your Environment by Applying a Security Guide
  10. Myth 8: Security Tweaks Can Fix Physical Security Problems
  11. Myth 9: Security Tweaks Will Stop Worms/Viruses
  12. Myth 10: An Expert Recommended This Tweak as Defense in Depth
  13. Server Security Tweaks
  14. Software Restriction Policies
  15. Do Not Store LAN Manager Hash Value
  16. Anonymous Restrictions
  17. Security Identifiers (SIDs)
  18. Password Policies
  19. SMB Message Signing
  20. Networking LAN Manager Authentication Level
  21. TCP Hardening
  22. Restricted Groups
  23. Audit Settings
  24. Client Security Tweaks
  25. Firewalls
  26. IPsec Filters
  27. SafeDllSearchMode
  28. Local Administrator Account Control
  29. Limit Local Account Use of Blank Passwords to Console Logon Only
  30. Logon Events
  31. Allowed to Format and Eject Removable Media
  32. The Caution ListChanges You Should Not Make
  33. Crash on Audit Failure
  34. Clear Virtual Memory Page File
  35. Security Configuration Tools