NTLMv2 NT Authenication in NT and Win9x clients


Windows NT SP4 introduced NTLMv2 Authentication which implements 128bit
encrypted keys and provides for a method to eliminate LANMAN hashes for NT
clients. LANMAN Password authenication is easy to
attack since it uses upper-case letters (reducing the set from 52 to 26 letters)
and limiting password length to 7 characters (effectively from a dictionary
attack viewpoint). To modify Windows NT LANMAN values:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\LSA
Name:
LMCompatibilityLevel
Type: REG_DWORD
Value: 5 : DC refuses LM and NTLM responses (accepts only
NTLMv2)
Value: 4 : DC refuses LM
responses
Value: 3 : Send NTLMv2
response only
Value: 2 : Send NTLM
response only
Value: 1 : Use NTLMv2
session security if negotiated
Value: 0 : default – Send LM response and NTLM response;
never use NTLMv2 session security

You MUST read KB Q147706
– How to Disable LM Authentication on Windows NT
to understand compatibility
issues. Its lists gotchas and implementation suggestions. SP4 added levels 3-5
and added considerable complexity. Also see Q175641
– LMCompatibilityLevel and Its Effects

For commercial networks, I suggest setting LMCompatibilityLevel to 1 on
all NT workstations and servers. NTLMv2 will be used when possible and allow
LANMAN compatibility for Win95, Win98, and Mac clients. In high-risk networks,
set LMCompatibilityLevel to 5 – eliminiates Win9x and its weak authenication
requirements.
With the introduction of Windows 2000, Microsoft has provided
a method to add NTLMv2 support into Win9x clients. You do this by installing and
uninstalling the Directory Services Client included on the Windows 2000 CD-ROM.
The installation updates the authenication components in Win9x to NTLMv2
compatibility and when the client is uninstalled, these enhanced system
components remain! The steps needed to add this functionality is documented in
Microsoft’s kb article Q239869
(article offline 4/26/2002). With this enhancement, it is no longer
necessary to have an all NT workstation environment to gain NTLMv2
authenication.

Leave a Comment

Your email address will not be published.

Scroll to Top