Overview#

LAN Manager authentication level is controlled by a Group Policy determines which challenge or response authentication protocol is used for network logons.

NT LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools.

In Microsoft Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Microsoft Active Directory uses:

NT LAN Manager authentication is the protocol that is used to authenticate all client computers running the Windows Client when they perform the following operations:

Possible values#

SettingDescriptionRegistry security level
Send LM & NTLMv1 responsesClient computers use LM and NTLMv1 authentication, and they never use NTLMv2 session security. Domain Controllers accept LM, NTLMv1, and NTLMv2 authentication.0
Send LM & NTLMv1 – use NTLMv2 session security if negotiatedClient computers use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain Controllers accept LM, NTLMv1, and NTLMv2 authentication.1
Send NTLMv1 response onlyClient computers use NTLMv1 authentication, and they use NTLMv2 session security if the Server supports it. Domain Controllers accept LM, NTLMv1, and NTLMv2 authentication.2
Send NTLMv2 response onlyClient computers use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain Controllers accept LM, NTLMv1, and NTLMv2 authentication.3
Send NTLMv2 response only. Refuse LMClient computers use NTLMv2 authentication, and they use NTLMv2 session security if the Server supports it. Domain Controllers refuse to accept LM authentication, and they will accept only NTLMv1 and NTLMv2 authentication.4
Send NTLMv2 response only. Refuse LM & NTLMv1Windows Client computers use NTLMv2 authentication, and they use NTLMv2 session security if the Server supports it. Domain Controllers refuse to accept LM and NTLMv1 authentication, and they will accept only NTLMv2 authentication.5
NOT all Clients and Servers are probably Microsoft Operating Systems within your environment. There are probably some Network Attached Devices that use CIFS or Samba

Best Practices#

Best Practices are dependent on your specific security and authentication requirements.

We recommend you set LAN Manager authentication level setting to Send NTLMv2 responses only. Microsoft and a number of independent organizations strongly recommend this level of authentication when all client computers support NTLMv2.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-8) was last changed on 21-Jun-2017 11:27 by jim