Changes in NTLM Authentication

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes two significant changes in the NTLM authentication protocol in Windows 7 and Windows Server 2008 R2.

NTLM 128-bit minimum session security

In Windows 7 and Windows Server 2008 R2, NTLM-based minimum session security policy is set to require a minimum of 128-bit encryption for both client computers and servers for new installations of Windows. This requires that all network devices and operating systems using NTLM support 128-bit encryption. Existing session security will be retained when upgrading Windows from an earlier Windows version.

If you require 40-bit or 56-bit encryption with NTLM for either client or server applications to be able to use weaker encryption, then you will need to set the corresponding policies by clearing the Require 128-bit encryption check box in the following policy settings:

  • Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

  • Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

System services NTLM fallback with computer identity

When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008, services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection.

You can configure the Network security: Allow Local System to use computer identity for NTLM security policy setting to allow Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.

If you do not configure this policy setting, services running as Local System that use the default credentials and a NULL session revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008. This might cause some authentication requests between Windows operating systems to fail and display an error.