• Contact Us

    We will get back to you as soon as possible.

  • We do not collect personal information except to the extent you provide that information to use through email, your web browser or through our contact forms. We will not share, sell or otherwise provide non-public information to others without your consent.

SIGN UP FOR OUR NEWSLETTER

  • We do not collect personal information except to the extent you provide that information to use through email, your web browser or through our contact forms. We will not share, sell or otherwise provide non-public information to others without your consent.

NT LAN Manager (NTLM) Remediation
Published on March 23, 2016
NT LAN MANAGER - NTLM

NT LAN MANAGER (NTLM)

Windows NT LAN Manager (NTLM) is a Microsoft challenge-response authentication protocol.  This is used to authenticate a client to a particular resource on an Active Directory domain or on home networks. Here are some basics how to increase (maximize) NTLM security levels.

Raising NTLM security levels can be a complicated subject.  Here are some handy visual representation that clearly explains the difference between the six security levels of NT LAN manager (NTLM) authentication.

Authentication

This method of authentication is fairly old.  It was last refreshed in 1999 (release of Windows 2000). NTLM however unwittingly remains a widely utilized in the Microsoft (Windows) world.  Network captures or system logs can readily demonstrate its use. 

With the advent of Microsoft Active Directory Domain Services (AD DS) in 2000 and their version (use) of MIT Kerberos, the necessity and use of LAN Manager authentication began to reduce. This however did not phase it out of existence – yet.

Because NTLM makes use of encrypting passwords, versus the use of tokens, it’s continued use remains security vulnerability susceptible to man-in-the-middle attacks.. 

Take a moment to also read Microsoft’s Article depicting these levels.

Related Articles

NT Lan Manager (NTLM) Remediation

NT LAN Manager is set using a single registry key – LmCompatibilityLevel (see visuals below). This can be defined via a policy (GPO) or directly to the registry.  Changes to this setting become effective without the need for a reboot.

    • GPO Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
    • Registry Location: HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

This registry key determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software. This allows users to connect computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2).

Target: Client Settings Only

Client’ services initiate connections to servers
(refers to the source where network traffic is initiated or generated)

LMCompatibilityLevel = 0

NTLM - LMC0

Send LM & NTLM responses

Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

LMCompatibilityLevel = 2

NTLM - LMC2

Send NTLM response only

Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

LMCompatibilityLevel = 1

NTLM - LMC1

Send LM & NTLM – use NTLMv2 session security if negotiated

Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

LMCompatibilityLevel = 3

NTLM - LMC3

Send NTLMv2 response only

Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

Target: Server Settings Only

Server’ listening services receive client connections or requests
(refers to the receipt point or respondent of communication initiated by a client)

LMCompatibilityLevel = 4

NTLM - LMC4

Send NTLMv2 response only. Refuse LM

Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.

LMCompatibilityLevel = 5

NTLM - LMC5

Send NTLMv2 response only. Refuse LM & NTLM

Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.

Authentication

LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is the protocol that is used to authenticate all client devices running the Windows operating system when they perform the following operations:

    • Join a domain
    • Authenticate between Active Directory forests
    • Authenticate to domains based on earlier versions of the Windows operating system
    • Authenticate to computers that do not run Windows operating systems, beginning with Windows 2000
    • Authenticate to computers that are not in the domain

Remediation Phases:

Level-set (or augment) LMCompatibilityLevel to the following.  This includes all servers, workstations and Domain Controllers.  Prior to transitioning to LMC 5, allow for sufficient soak time for testing and verification.

    1. Augment LMCompatibilityLevel (LMC) to a value of 3
    2. Augment LMCompatibilityLevel (LMC) to a value of 5
I hope this provides a bit more light on these particular setting.

Warmest Regards,

SHAWN MAY – DTS Inc. | Principal Architect & CEO | shawn@yourDTS.com

Related Articles

CORE PRACTICES

  • Implementing correct solutions
  • Bringing the correct talent (professional-staff-augmentation or project team)
  • Alignment to the business functional & functional direction
  • Maintaining agility with communication and options
  • Ensure to have a properly scoped project and accurate roadmap eliminating fluff

LATEST VIDEOS

Testimonials

 

Dynamic Technical Solutions is one of the best in the business. I had the pleasure of working and learning a great deal from their team members in the past four years. DTS’ work ethic is unlike any I have ever seen. I have always known them to follow through until the job is completed correctly.

 

R.T., Senior IT Infrastructure & Ops Manager, E-470 Public Highway Authority

Testimonials

 

I had a pleasure working with Dynamic Technical Solutions very closely on a very complex, critical project with a lot of moving parts and unknowns. Not only did DTS quickly grasped all the complexities of the project, they helped bring clarity and order to it. Their dedication and professionalism are tremendous. They are team members whom you can always count on to be there and deliver what’s required and then some. Their technical abilities have allowed us to develop and implement great solutions. DTS’ understanding of IT security helped us not only come up with a robust technical solution, but also a very secure one. I’ll gladly work with them any time again.

 

I.S., VP Technology at Barclays Capital

Testimonials

 

I have had the pleasure of working with Dynamic Technical Solutions over the last year servicing the same customer. DTS demonstrates an exceptional technical aptitude, attention to detail and work ethic that makes their service delivery extraordinary. Anyone requiring solid directory services architectural or technical guidance will benefit from what DTS brings to the table. I recommend their work.

 

N.K., Microsoft - Senior Technical Account Manager

Testimonials

 

I had the pleasure of working with Dynamic Technical Solutions at The Children's Hospital and found them to be an extremely knowledgeable in respect to Microsoft Windows Engineering. Their precision, dedication, thoroughness and understanding in Microsoft Active Directory design and support are impeccable. They take pride in continuously learning, adapting and implementing all of the knowledge they possess and have shown such aptitude in technical writings of Kerberos, DNS and Microsoft products as a whole. I would welcome the opportunity of working with DTS again and hope to do so in the future.

 

M.D., The Children's Hospital

Testimonials

 

We contracted with DTS to perform an upgrade/migration of our existing Active Directory and Exchange environments onto new equipment. The entire process was extremely painless and we were very happy with the results. I can honestly say that our DTS consultants exceeded our expectations. It took less time than we had anticipated, and some of the issues we were afraid of running into did occur, but our DTS consultants were very quick at finding a working solution.

DTS is technically competent, their work is very thorough, and their attention to detail is the best I have seen. I would not hesitate in recommending Dynamic Technical Solutions to anyone looking for Microsoft professionals.

 

R.B. Information Technology Director, Colorado City Government – Town of Vail

Testimonials

 

CH2M Hill is a $5B IT and engineering firm based in Denver, Colorado. CH2M Hill has utilized DTS for complex IT management and support projects. During the time that DTS supported our efforts for one of our customers (a Fortune 500 company), their consultant exhibited significant technical competencies. Furthermore, our DTS consultant is a professional, receiving high marks from the customer for program management as well as communication skills.

 

Director of Business Development, CH2M Hill

read more