Share via


Setting the LAN Manager Authentication Level on a network that includes RIS

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Setting the LAN Manager Authentication Level on a network that includes RIS

You can use the LAN Manager Authentication Level to set a level that specifies whether certain authentication protocols are available for network communication. When a user logs on at a RIS client, Remote Installation Services (RIS) uses either the first version of the NTLM authentication protocol or the second version, NTLMv2. Of the two protocols, NTLMv2 is significantly more secure because of the way it handles encryption keys.

For information about choosing the most appropriate LAN Manager Authentication Level in a network that includes RIS, see the table that appears later in this topic. For information about the different levels and how to view or change the setting, see Network security: LAN Manager authentication level.

When you set the LAN Manager Authentication Level, you should consider both your requirements for network security and your requirements for using a variety of operating systems. If you select the highest level (Send NTLMv2 response only\refuse LM & NTLM), only NTLMv2, the more secure protocol, is used; all computers involved in authentication must run software that supports NTLMv2. If you select a lower level (Send NTLM response only), NTLMv2 is used whenever possible, and NTLM is used only when required--that is, when one or more computers involved in authentication do not support NTLMv2.

The LAN Manager Authentication Level that is most appropriate depends upon which operating system is installed on the domain controllers, on the RIS servers, and on the clients you want to install. The following table provides criteria you can use to determine the appropriate LAN Manager Authentication Level.

Criteria for"Send NTLM response only" Criteria for"Send NTLMv2 response only\refuse LM & NTLM"

Domain controllers: any

Domain controllers can include those running a Windows 2000 Server operating system without a specific service pack. They do not have to be limited as described in the other column of this table.

Domain controllers: run either a Windows 2000 Server operating system with a specific service pack, or they run a Windows Server 2003 operating system.

In order to work with this authentication level, domain controllers must run either a Windows 2000 Server operating system with a specific service pack, or they must run a Windows Server 2003 operating system. For information about the service pack required in order to run a Windows 2000 Server operating system with this authentication level, search the Knowledge Base at the Microsoft Web site.

In addition, RIS servers and clients must also meet the requirements in this table.

RIS servers: any

RIS servers can include those that run Windows 2000. They do not have to be limited to those running Windows Server 2003.

RIS servers: run Windows Server 2003 only

In order to work with this authentication level, all RIS servers must run Windows Server 2003. In addition, domain controllers and clients must also meet the requirements in this table.

Clients: any

Clients can include those that run Windows 2000 or Windows XP without a service pack. They do not have to be limited to those running Windows Server 2003 or those running Windows XP with Service Pack 1 (SP1) or later.

Clients: run Windows XP with SP1 or later, or run Windows Server 2003

In order to work with this authentication level, clients must run either Windows XP with SP1 or later, or run Windows Server 2003. In addition, domain controllers and RIS servers must also meet the requirements in this table.

Overall effect of using "Send NTLM response only"

Security is not as strong, but you can choose from a wider range of operating systems.

Overall effect of using "Send NTLMv2 response only\refuse LM & NTLM"

Security is stronger, but you must choose from a narrower range of operating systems.

Note

  • This topic does not apply to Windows Server 2003, Web Edition.