| Registry Tip #80: NTLMv2 NT Authenication in NT and Win9x clients |
Hits: Failed to execute CGI : Win32 Error Code = 3
|
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\LSA
Name: LMCompatibilityLevel
Type: REG_DWORD
Value: 5 : DC refuses LM and NTLM responses (accepts only NTLMv2)
Value: 4 : DC refuses LM responses
Value: 3 : Send NTLMv2 response only
Value: 2 : Send NTLM response only
Value: 1 : Use NTLMv2 session security if negotiated
Value: 0 : default - Send LM response and NTLM response; never use NTLMv2 session security
You MUST read KB Q147706 - How to Disable LM Authentication on Windows NT to understand compatibility issues. Its lists gotchas and implementation suggestions. SP4 added levels 3-5 and added considerable complexity. Also see Q175641 - LMCompatibilityLevel and Its Effects
For commercial networks, I suggest setting LMCompatibilityLevel to 1 on all NT workstations and servers. NTLMv2 will be used when possible and allow LANMAN compatibility for Win95, Win98, and Mac clients. In high-risk networks, set LMCompatibilityLevel to 5 - eliminiates Win9x and its weak authenication requirements. With the introduction of Windows 2000, Microsoft has provided a method to add NTLMv2 support into Win9x clients. You do this by installing and uninstalling the Directory Services Client included on the Windows 2000 CD-ROM. The installation updates the authenication components in Win9x to NTLMv2 compatibility and when the client is uninstalled, these enhanced system components remain! The steps needed to add this functionality is documented in Microsoft's kb article Q239869 (article offline 4/26/2002). With this enhancement, it is no longer necessary to have an all NT workstation environment to gain NTLMv2 authenication.
A must have for NT administrators in corporate or governmental organizations or anyone being audited by a large outside audit firm.
It is not a secrets type guide but it has excellent sound advice and its used by PriceWaterhouse's auditors as a guide.
|
|