none
SEND NTLM V2 responses only on default domain controllers policy

    Question

  • Hi,

    I want to change the authentication on the default domain controllers policy to SEND NTLM V2 responses  only. I am referring to a technet article which I am not able to paste here do to restrictions but the article states the following for SEND NTLMV2 responses only

    "Client computers use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication."

    Please I want to know the following:

    1. The article says that client computers use NTLM v2 authentication where as domain controllers will accept LM, NTLM, and NTLMv2 authentication. If that is the case then what is the point in setting this authentication if after setting it, domain controllers still accept LM and NTLM. What benifit will I get if my down level clients still use LM and NTLM. Is it an added functionality that MS has give to the customers who can take the benifit of NTLM V2 authentication for windows 7 and above and at the same time with no impact to downlevel clients.

    2. In a windows Wyse, 2003 and xp environment, should I be expecting any impact.

    Thank you

    Regards,

    Rahul Chowdhary


    • Edited by Ankit27Agg Thursday, June 18, 2015 8:42 AM
    Wednesday, June 17, 2015 12:16 PM

Answers

  • Hi Rahul,

    Yes, your understandings above are correct.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Ankit27Agg Friday, June 26, 2015 9:45 AM
    Friday, June 26, 2015 3:03 AM
    Moderator

All replies

  • Hi Rahul,

    I guess the article you mentioned is this one: https://support.microsoft.com/en-us/kb/239869

    I went through the article and as you can see there are 6 different levels you can choose(from level 0 to level 5).

    The message "Client computers use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication." you confused was the output when you configure the level 3. The point is that some older OS who can only use LM or NTLM can also talking to the domain controller.

    But with level 5 you can see that the clients only use NTLM V2 and the domain controller just accept NTLMV2 as well.

    The LM protocol used by default in Windows 95, 98 and ME and is extremely insecure. As a result of this insecurity, Microsoft introduced a new version of LAN Manager with the advent of Windows NT, known as NT LAN Manager, or NTLM. Although much better than its predecessor, this version still had some security issues associated with it and Microsoft again reworked the protocol, releasing NT LAN Manager version 2 (or NTLMv2) with Service Pack 4 for NT.

    Due to the insecurity of these previous versions, the IMSS has chosen to enforce the use of NTLMv2 when connecting to its servers. All Windows clients will need to turn on the use of NTLMv2 in order to connect to the IMSS Windows servers. In addition, Macintosh clients wishing to connect to the IMSS Windows servers will also need to use NTLMv2 authentication.

    Windows 8.x, Windows 7, Vista and Windows Server versions 2008 and newer default to using NTLMv2 authentication.

    In that way if you use winserver 2000 above systems you can use the NTLMV2.

    By the way please be aware that on July 15, 2015, Microsoft will end support of Windows Server 2003. Departments should upgrade, retire, or move their 2003 servers to an up-to-date OS in the Intelligent Infrastructure environment.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 19, 2015 3:01 AM
    Moderator
  • Hi Elaine,

    Thank you for your response.

    The article I am referring to is https://technet.microsoft.com/en-us/library/jj852207%28v=ws.10%29.aspx?f=255&MSPPError=-214721739 6

    Send NTLMv2 response only : Client computers use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

    I need to change the default domain controllers GPO (Network Security: LAN Manager authentication) to Send NTLMv2 response only. My interpretation of this setting is that any client with windows 7 and above and windows server 2008 and above will be forced to negotiate on NTLMV2 and if I have windows XP and Wyse and for that matter any down level clients, they can negotiate on LM and NTLM since the definition states and DC will accept LM and NTLM apart from NTLM V2. Is my understanding correct?

    Level 5 what you are referring to states Send NTLMv2 response only refuse LM (definition below):

    Send NTLMv2 response only Refuse LM :   Client computers use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.

    My understanding here is clients will be forced to use NTLM V2 authentication and DC will refuse LM and accept  only NTLM and NTLMv2 authentication. In this case my XP machine (if it uses LM authentication) will not authenticate. Is my understanding correct?

    regards,

    Rahul

    Friday, June 19, 2015 4:06 PM
  • Hi Rahul,

    Yes, your understandings above are correct.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Ankit27Agg Friday, June 26, 2015 9:45 AM
    Friday, June 26, 2015 3:03 AM
    Moderator
  • Thank you Elaine.

    Regards,

    Rahul

    Friday, June 26, 2015 9:45 AM