Security

  • Article

The NTLM protocol was the default for network authentication in Windows NT 4.0 and is based on a challenge response mechanism for client authentication. It is retained in Windows 2000 for compatibility with earlier client and server versions of Windows. NTLM is also used to authenticate logons to stand-alone computers with Windows 2000.

Computers with Microsoft Windows 3.11, Windows 95, Windows 98, or Windows NT 4.0 will use the NTLM protocol for network authentication in Windows 2000 domains. Computers running Windows 2000 will use NTLM when authenticating to servers with Windows NT 4.0 and when accessing resources in Windows NT domain.

By default, Windows 2000 is installed in a mixed-mode network configuration, meaning a network configuration that uses any combination of Windows NT 4.0 and Windows 2000 computers. A Windows 2000 workstation or client manages the NTLM credentials entered at system logon on the client side to use when the client connects to Windows NT 4.0 servers using NTLM authentication. Support for NTLM credentials in the Windows 2000 security is the same as for Windows NT 4.0 for compatibility.

As examples, the following configurations would use NTLM as the authentication mechanism:

  • A Windows 2000 Professional client authenticating to a Windows NT 4.0 domain controller.

  • A Microsoft Windows NT Workstation  4.0 client authenticating to a Windows 2000 domain controller.

  • A Windows NT Workstation 4.0 client authenticating to a Windows NT 4.0 domain controller.

  • Users in a Windows NT 4.0 domain authenticating to a Windows 2000 domain.

In addition, NTLM is the authentication protocol for computers that are not participating in a domain, such as stand-alone servers and workgroups.

The NTLM authentication package in Windows 2000 supports three methods of challenge/response authentication:

  • LAN Manager (LM) . This is the least secure form of challenge/response authentication. It is available so that computers running Windows 2000 Professional can connect in share level security mode to file shares on computers running Microsoft Windows for Workgroups, Windows 95, or Windows 98.

  • NTLM version 1 . This is more secure than LM challenge/response authentication. It is available so that clients running Windows 2000 Professional can connect to servers in a Windows NT domain that has at least one domain controller that is running Windows NT 4.0 Service Pack 3 or earlier.

  • NTLM version 2 . This is the most secure form of challenge/response authentication. It is used when clients running Windows 2000 Professional connect to servers in a Windows NT domain where all domain controllers have been upgraded to Windows NT 4.0 Service Pack 4 or later. It is also used when clients running Windows 2000 connect to servers running Windows NT in a Windows 2000 domain.

By default, all three challenge/response mechanisms are enabled. You can disable authentication using weaker variants by setting the LAN Manager authentication level security option in local security policy for the computer.

For more information about configuring the LAN Manager authentication level, see Group Policy Reference on the Microsoft Windows 2000 Professional Resource Kit companion CD or the Windows 2000 Server Resource Kit .