|Changing LAN Manager Authentication on Windows NT (Windows NT)|
Category: Home > Security > Network
Windows NT supports two kinds of challenge/response authentication: LanManager (LM) and Windows NT (NTLM). LM authentication is not as strong as Windows NT authentication so some customers may want to disable its use, because an attacker sniffing the network traffic could possibly attack the weaker protocol.
The implementation of the NTLM Security Service Provider (SSP) in Server Pack 4 has been enhanced to allow clients to control which variants of NTLM are used, and to allow servers to control which variants they will accept.
To change the type of authentication to be used modify the key below with the following values:
Level 0 - Send LM response and NTLM response; never use NTLMv2 session security
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM response only
Level 3 - Send NTLMv2 response only
Level 4 - DC refuses LM responses
Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)
Note: Currently only Windows NT 4.0 (SP4 and greater) support NTLMv2.
|(Default)||REG_SZ||(value not set)|
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]|
Type: REG_DWORD (DWORD Value)
Value: 0 (default) to 5 as defined above
Disclaimer: Modifying the registry can cause serious problems that may require you to reinstall your operating system. We cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.
Last Modified: May 14, 2002