This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
LAN Manager authentication level
LAN Manager authentication level

Version management

Difference between version and

At line 1 added 39 lines
!!! Overview
[{$pagename}] is controlled by a [Group Policy Object] determines which challenge or response [authentication] [protocol] is used for network logons.
[NT LAN Manager] (LM) includes client computer and server software from [Microsoft] that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools.
In [Microsoft Active Directory] [domains|AD DOMAIN], the [Kerberos] [protocol] is the default [authentication] [protocol]. However, if the [Kerberos] [protocol] is not negotiated for some reason, [Microsoft Active Directory] uses:
* [LM|LM hash]
* [NTLMv1]
* [NTLMv2]
[NT LAN Manager] [authentication] is the [protocol] that is used to [authenticate] all [client] computers running the [Windows Client] when they perform the following operations:
* [Join AD Domain]
* [authentication] between [AD Forests]
* [authentication] to [domains|AD DOMAIN] based on earlier versions of the [Microsoft] [Operating System]
* [authentication] to computers that do not run [Microsoft] [Operating System]. (beginning with [Windows Server 2000])
* [authentication] to computers that are not in the [domain|AD DOMAIN]
! Possible values
||Setting||Description||Registry security level
|Send [LM|LM hash] & [NTLMv1] responses|Client computers use [LM|LM hash] and [NTLMv1] [authentication], and they __never use [NTLMv2]__ session security. [Domain Controllers] accept [LM|LM hash], [NTLMv1], and [NTLMv2] [authentication].|0
|Send [LM|LM hash] & [NTLMv1] – use NTLMv2 session security if negotiated|Client computers use [LM|LM hash] and NTLM [authentication], and they use [NTLMv2] session security if the [server] supports it. [Domain Controllers] accept [LM|LM hash], [NTLMv1], and [NTLMv2] [authentication].|1
|Send [NTLMv1] response only|Client computers use [NTLMv1] [authentication], and they use [NTLMv2] session security if the [Server] supports it. [Domain Controllers] accept [LM|LM hash], [NTLMv1], and [NTLMv2] [authentication].|2
|Send NTLMv2 response only|Client computers use [NTLMv2] [authentication], and they use [NTLMv2] session security if the [server] supports it. [Domain Controllers] accept [LM|LM hash], [NTLMv1], and [NTLMv2] [authentication].|3
|Send NTLMv2 response only. Refuse [LM|LM hash]|Client computers use [NTLMv2] [authentication], and they use [NTLMv2] session security if the [Server] supports it. [Domain Controllers] __refuse to accept__ [LM|LM hash] [authentication], and they will __accept only__ [NTLMv1] and NTLMv2 [authentication].|4
|Send [NTLMv2] response only. __Refuse__ [LM|LM hash] & [NTLMv1]|[Windows Client] computers use [NTLMv2] [authentication], and they use NTLMv2 session security if the [Server] supports it. [Domain Controllers] __refuse to accept__ [LM|LM hash] and [NTLMv1] [authentication], and they __will accept only__ [NTLMv2] [authentication].|5
%%information
NOT all [Clients] and [Servers] are probably [Microsoft] [Operating Systems] within your environment. There are probably some Network Attached Devices that use [CIFS] or [Samba]
%%
!! [Best Practices]
[Best Practices] are dependent on your specific [security] and [authentication] requirements.
We recommend you set [{$pagename}] setting to Send [NTLMv2] responses only. [Microsoft] and a number of independent organizations strongly recommend this level of [authentication] when all client computers support [NTLMv2].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop