Provides an overview of the best practices for network security, including their location, values, policy administration, and security considerations. The authentication level security policy setting for the LAN Manager.
Reference
This policy option governs whether the challenge authentication protocol or the response authentication protocol is utilized for network logons and when they are not. LAN Manager (LM) is a Microsoft product that consists of client computers and server software that allows users to connect several personal devices to a single local area network. Transparent file and print sharing, user security features, and network administration tools are some of the network capabilities available to you. The Kerberos authentication protocol is the default authentication protocol in Active Directory domains. If for whatever reason, the Kerberos protocol cannot be negotiated, Active Directory falls back on the LM, NTLM, or NTLM version 2 protocols (NTLMv2).
All client devices running the Windows operating system that perform the following operations must be authenticated using the LAN Manager authentication protocol. LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants and is the protocol that is used to authenticate all client devices running the Windows operating system:
Join a domain name registration service
Interact with Active Directory forests from different domains
You can authenticate to domains that are based on earlier versions of the Windows operating system by using the Windows Authentication Service.
Beginning with Windows 2000, you can authenticate to computers that do not run Microsoft Windows operating systems.
Create an authentication session with computers that are not part of the domain
Values that might be used
Respond with LM and NTLM answers
Send LM and NTLM; if NTLMv2 session security has been negotiated, utilize it.
Send only NTLM responses Send only NTLMv2 responses Send only NTLMv2 answers Send only NTLMv2 responses Refuse to accept LM
Only NTLMv2 answers should be sent. Refuse to accept LM and NTLM
Possible values
The following are the security measures for the network: The authentication level setting in the LAN Manager defines which challenge/response authentication protocol is used for network logons and how they are handled. Depending on whatever option you choose, the authentication protocol level that clients use, the session security level that computers negotiate, and the authentication level that servers accept will all be affected. For each policy setting shown in the following table, a brief description is provided, as well as the security level that is utilized in the associated registry setting if you prefer to use the registry to govern this setting rather than the policy setting.
VALUES THAT ARE POSSIBLE
Description of the registry security level setting
Respond with LM and NTLM answers
When it comes to authentication, client devices only employ LM or NTLM, and they never use NTLMv2 session security. LM, NTLM, and NTLMv2 authentication are all supported by domain controllers. 0
Send LM and NTLM – if NTLMv2 session security has been agreed, utilize it.
Client devices authenticate with LM and NTLM, and if the server supports it, they also employ NTLMv2 session security to protect their data. LM, NTLM, and NTLMv2 authentication are all supported by domain controllers. 1
Only the NTLM response should be sent.
Client devices authenticate with NTLMv1 and, if the server supports it, they also use NTLMv2 session security to protect their data. LM, NTLM, and NTLMv2 authentication are all supported by domain controllers. 2
Only NTLMv2 answers should be sent.
Client devices must support NTLMv2 authentication and session security if the server does not already do so. LM, NTLM, and NTLMv2 authentication are all supported by domain controllers. 3
Only NTLMv2 answers should be sent. Refusing to accept LM client devices must support NTLMv2 authentication and session security if the server does not already do so. Domain controllers will not allow LM authentication, and they will only accept NTLM and NTLMv2 authentication, according to the vendor. 4
Only NTLMv2 answers should be sent. Refusing to accept LM and NTLM client devices must support NTLMv2 authentication and session security if the server does not already do so. Domain controllers will not accept LM or NTLM authentication, and they will only accept NTLMv2 authentication, according to Microsoft. 5
Best practices
Best practices are determined by the specific security and authentication requirements of your organization.
Local Policies can be found under the Computer ConfigurationWindows SettingsSecurity SettingsLocal Policies folder.
Optional Security Measures
Policy Location
The default values for this policy are listed in the following table, both in their current state and in their effective state. The default values for the policy are also listed on the property page for the policy.
THE DEFAULT VALUES Server type or Group Policy Object Default value
The default domain policy has not been defined.
Default Domain Controller Policy is a policy that is set by default for a domain controller.
There is no such thing as a definition.
Default Configurations for a Stand-Alone Server
Only NTLMv2 answers should be sent.
DC Default Configurations that are effective Send NTLMv2 response only
Default Member Server Configuration Effective Defaults
Only NTLMv2 answers should be sent.
It is not known what the effective default settings are on the client computer
Policy formulation and implementation
This section covers the features and tools that are available to you to assist you in the administration of this policy.
Registry Location
None. When changes to this policy are recorded locally or disseminated using Group Policy, they become effective immediately and do not require a device restart.
Policy for the Group
It is possible that changing this parameter will have an impact on the compatibility of client devices, services, and applications.
Default values
Considerations about security
It is described in this section how an attacker might take advantage of a feature or its configuration, how to construct a countermeasure and the potential negative implications of implementing a countermeasure.
Vulnerability
For the time being, this setting in Windows 7 and Windows Vista remains undefined. This parameter is specified to only send NTLMv2 responses in Windows Server 2008 R2 and subsequent versions of the operating system.
Countermeasure
Configure the Network security: LAN Manager Authentication Level setting to only send NTLMv2 responses to ensure that the network is secure. When all client computers are capable of supporting NTLMv2, Microsoft and several independent organizations strongly suggest using this level of authentication.
The potential ramifications
Client devices that do not support NTLMv2 authentication will be unable to authenticate in the domain and access domain resources when utilizing the LM and NTLM authentication methods, respectively.
