Restricting LAN Manager Authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Due to advances in cracking tools and hardware capabilities, LAN Manager authentication encryption is more vulnerable to attack than newer forms of encryption. For this reason, it is important to restrict the use of LAN Manager authentication whenever possible. Windows Server 2003 supports all versions of LAN Manager authentication, including LM, NTLM, and NTLM version 2 (NTLMv2), to allow for compatibility with clients that do not support newer authentication protocols.

If it is necessary in your organization to support LAN Manager authentication, you can increase security by enabling support of NTLMv2 whenever possible. Reducing or eliminating the use of LAN Manager authentication and NTLM version 1 (NTLMv1) removes password hash values from the network, and therefore increases network security. You can enable NTLMv2 support by doing the following:

• Upgrading to at least Service Pack 4 (SP4) on all Windows NT 4.0–based clients

• Installing the directory services client on all client computers that are running the Microsoft® Windows® 95 or Windows® 98 operating system You can install the directory services client from the Windows Server 2003 operating system CD.

• Tightening LAN Manager authentication policies. If all clients support NTLMv2, set Domain Group Policy for LAN Manager Authentication Level to Send NTLMv2 response only\refuse LM & NTLM. This policy is under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\. If some clients exist that do not support NTLMv2, set the LAN Manager Authentication Level to Send NTLM response only. This reduces the amount of ciphertext available to attackers.

Note

• Clients that do not typically support NTLMv2 include Macintosh and Windows Services for UNIX.