<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is controlled by a [Group Policy Object] determines which challenge or response [authentication] [protocol] is used for network logons. 

[NT LAN Manager] (LM) includes client computer and server software from [Microsoft] that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. 

In [Microsoft Active Directory] [domains|AD DOMAIN], the [Kerberos] [protocol] is the default [authentication] [protocol]. However, if the [Kerberos] [protocol] is not negotiated for some reason, [Microsoft Active Directory] uses:
* [LM|LM hash]
* [NTLMv1]
* [NTLMv2]

[NT LAN Manager] [authentication] is the [protocol] that is used to [authenticate] all [client] computers running the [Windows Client] when they perform the following operations:
* [Join AD Domain]
* [authentication] between [AD Forests]
* [authentication] to [domains|AD DOMAIN] based on earlier versions of the [Microsoft] [Operating System]
* [authentication] to computers that do not run [Microsoft] [Operating System]. (beginning with [Windows Server 2000])
* [authentication] to computers that are not in the [domain|AD DOMAIN]

! Possible values
||Setting||Description||Registry security level
|Send [LM|LM hash] &amp; [NTLMv1] responses|Client computers use [LM|LM hash] and [NTLMv1] [authentication], and they __never use [NTLMv2]__ session security. [Domain Controllers] accept [LM|LM hash], [NTLMv1], and [NTLMv2] [authentication].|0
|Send [LM|LM hash] &amp; [NTLMv1] – use NTLMv2 session security if negotiated|Client computers use [LM|LM hash] and NTLM [authentication], and they use [NTLMv2] session security if the [server] supports it. [Domain Controllers] accept [LM|LM hash], [NTLMv1], and [NTLMv2] [authentication].|1
|Send [NTLMv1] response only|Client computers use [NTLMv1] [authentication], and they use [NTLMv2] session security if the [Server] supports it. [Domain Controllers] accept [LM|LM hash], [NTLMv1], and [NTLMv2] [authentication].|2
|Send NTLMv2 response only|Client computers use [NTLMv2] [authentication], and they use [NTLMv2] session security if the [server] supports it. [Domain Controllers] accept [LM|LM hash], [NTLMv1], and [NTLMv2] [authentication].|3
|Send NTLMv2 response only. Refuse [LM|LM hash]|Client computers use [NTLMv2] [authentication], and they use [NTLMv2] session security if the [Server] supports it. [Domain Controllers] __refuse to accept__ [LM|LM hash] [authentication], and they will __accept only__ [NTLMv1] and NTLMv2 [authentication].|4
|Send [NTLMv2] response only. __Refuse__ [LM|LM hash] &amp; [NTLMv1]|[Windows Client] computers use [NTLMv2] [authentication], and they use NTLMv2 session security if the [Server] supports it. [Domain Controllers] __refuse to accept__ [LM|LM hash] and [NTLMv1] [authentication], and they __will accept only__ [NTLMv2] [authentication].|5

%%information
NOT all [Clients] and [Servers] are probably [Microsoft] [Operating Systems] within your environment. There are probably some Network Attached Devices that use [CIFS] or [Samba]
%%

!! [Best Practices]
[Best Practices] are dependent on your specific [security] and [authentication] requirements.

We recommend you set [{$pagename}] setting to Send [NTLMv2] responses only. [Microsoft] and a number of independent organizations strongly recommend this level of [authentication] when all client computers support [NTLMv2].


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>