In tip 807, I introduced LMCompatibilityLevel.
Prior to Windows NT 4.0 SP4, NT supported LanManager (LM) challenge/response and Windows NT (NTLM) challenge/response.
SP4 implements a third authentication methods called NTLMv2, which is significantly more secure, and a mechanism for the servers / clients to control which NTLM variant is used.
NOTE: NTLM authentication using all 14 password characters, mixed case ,Alpha/Numerics, and special characters can take 2000+ years to crack using a 200MHz Pentium Pro. See http://www.rsa.com/des/.
The changes effect any application that uses RPC or NTLM SSP.
NTLMv2 is automatically used when both client and server are running SP4, but must be configured for the datagram variant. Use Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
Add Value name LMCompatibilityLevel as a type REG_DWORD. The default value is 0:
Level 0 - Send LM response and NTLM response; never use NTLMv2 session security Level 1 - Use NTLMv2 session security if negotiated Level 2 - Send NTLM response only Level 3 - Send NTLMv2 response only Level 4 - DC refuses LM responses Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)To control NTLM SSP, navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\MSV1_0
Configure the following values:
Value: NtlmMinClientSec Value Type: REG_DWORD - The default value is 0. Valid Range: the logical 'or' of any of the following values: 0x00000010 0x00000020 0x00080000 0x20000000 Value: NtlmMinServerSec Value Type: REG_DWORD - The default value is 0. Valid Range: same as NtlmMinClientSec Description: This parameter specifies the minimum security to be used. 0x00000010 Message integrity 0x00000020 Message confidentiality 0x00080000 NTLMv2 session security 0x20000000 128 bit encryptionIf the bit with value 0x00000010 is set in the NtlmMinClientSec or NtlmMinServerSec value, the connection will fail if message integrity is not negotiated.
If the bit with value 0x00000020 is set in the NtlmMinClientSec or NtlmMinServerSec value, the connection will fail if message confidentiality is not negotiated.
If the bit with value 0x00080000 is set in the NtlmMinClientSec or NtlmMinServerSec value, the connection will fail if NTLMv2 session security is not negotiated.
If the bit with value 0x20000000 is set in the NtlmMinClientSec or NtlmMinServerSec value, the connection will fail if 128-bit encryption is not negotiated.
LMCompatibilityLevel - Clients
SP4 clients can not use level 3 or greater unless all the domain controllers are running SP4.
SP4 clients using Level 2 or greater prevents connection to all non-NT Windows variants unless the domain controllers run SP4.
SP4 clients using level 3 or greater will always send NTLMv2, which can pass through NT Servers and non-NT Windows variants as long as the domain controllers are running SP4. Share level security is not supported.
SP4 Clients using level 1 or greater must only change passwords from an SP4 box.
LMCompatibilityLevel - Servers/DCs
SP4 servers using level 4 or greater can not be connected to from a non-NT Windows variant.
SP4 DC using level 4 or greater requires Windows NT clients.
SP4 DC using level 5 requires Windows NT 4.0 SP4 clients.
If you wish to implement NTLMv2, I recommend:
- Upgrade all servers/DCs to SP4.
- Clients that are running SP3 can use level 3 or greater.
- If users in an account domain never need to access non-NT Windows variants, set that DC to 4. Set it to 5 once all clients are running SP4.
Shut down and restart Windows NT for these changes to take effect.