Windows NT SP4 introduced NTLMv2 Authentication which implements 128bit
encrypted keys and provides for a method to eliminate LANMAN hashes for NT
clients. LANMAN Password authenication is easy to
attack since it uses upper-case letters (reducing the set from 52 to 26 letters)
and limiting password length to 7 characters (effectively from a dictionary
attack viewpoint). To modify LANMAN values:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\LSA
Name:
LMCompatibilityLevel
Type: REG_DWORD
Value: 5 : DC refuses LM and NTLM responses (accepts only
NTLMv2)
Value: 4 : DC refuses LM
responses
Value: 3 : Send NTLMv2
response only
Value: 2 : Send NTLM
response only
Value: 1 : Use NTLMv2
session security if negotiated
Value: 0 : default – Send LM response and NTLM response;
never use NTLMv2 session security
You MUST read KB Q147706 –
How to Disable LM Authentication on Windows NT to understand compatibility
issues. Its lists gotchas and implementation suggestions. SP4 added levels 3-5
and added considerable complexity. Also see Q175641 –
LMCompatibilityLevel and Its Effects
For commercial networks, I suggest setting LMCompatibilityLevel to 1 on
all NT workstations and servers. NTLMv2 will be used when possible and allow
LANMAN compatibility for Win9x and Mac clients. In high-risk networks, set
LMCompatibilityLevel to 5 – eliminiates Win9x and its weak authenication
requirements.
