Overview#
LAN Manager authentication level is controlled by a Group Policy Object determines which challenge or response authentication protocol is used for network logons.NT LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools.
In Microsoft Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Microsoft Active Directory uses:
NT LAN Manager authentication is the protocol that is used to authenticate all client computers running the Windows Client when they perform the following operations:
- Join AD Domain
- authentication between AD Forests
- authentication to domains based on earlier versions of the Microsoft Operating System
- authentication to computers that do not run Microsoft Operating System. (beginning with Windows Server 2000)
- authentication to computers that are not in the domain
Possible values#
| Setting | Description | Registry security level |
|---|---|---|
| Send LM & NTLMv1 responses | Client computers use LM and NTLMv1 authentication, and they never use NTLMv2 session security. Domain Controllers accept LM, NTLMv1, and NTLMv2 authentication. | 0 |
| Send LM & NTLMv1 – use NTLMv2 session security if negotiated | Client computers use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain Controllers accept LM, NTLMv1, and NTLMv2 authentication. | 1 |
| Send NTLMv1 response only | Client computers use NTLMv1 authentication, and they use NTLMv2 session security if the Server supports it. Domain Controllers accept LM, NTLMv1, and NTLMv2 authentication. | 2 |
| Send NTLMv2 response only | Client computers use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain Controllers accept LM, NTLMv1, and NTLMv2 authentication. | 3 |
| Send NTLMv2 response only. Refuse LM | Client computers use NTLMv2 authentication, and they use NTLMv2 session security if the Server supports it. Domain Controllers refuse to accept LM authentication, and they will accept only NTLMv1 and NTLMv2 authentication. | 4 |
| Send NTLMv2 response only. Refuse LM & NTLMv1 | Windows Client computers use NTLMv2 authentication, and they use NTLMv2 session security if the Server supports it. Domain Controllers refuse to accept LM and NTLMv1 authentication, and they will accept only NTLMv2 authentication. | 5 |
Best Practices#
Best Practices are dependent on your specific security and authentication requirements.We recommend you set LAN Manager authentication level setting to Send NTLMv2 responses only. Microsoft and a number of independent organizations strongly recommend this level of authentication when all client computers support NTLMv2.
