none
Network security:LAN manager authentication level setting on GPO

    Question

  • Hi,

    We have a requirement from project team to change the one of the security setting on default domain policy for all computers in domain. Below are the security setting which we need to modify.

    computer configuration-->windows settings-->security settings-->local policies-->security options-->

    Network security: LAN manager authentication level 

    this setting need to be changed to - Send LM & NTLM - use NTLMv2 session security if negotiated.

    The project team facing issue with Apache web server and they found the solution on below link.(we have tested this  by changing local group policy and this solution works as expected)

    https://www.sysaid.com/Sysforums/posts/list/9065.page 

    We need to know what is the impact after enabling this on domain computers.

    Need help on this to go-head on this.

    Thursday, April 30, 2015 10:37 AM

Answers

  • Hi,

    you have a weaker domain security overall. "

    LM Hash Generation 

    The algorithm introduces several weaknesses that attackers can exploit. First, all lowercase characters are set to uppercase, reducing the number of possible characters. Second, it splits a long, strong, password into two seven-character chunks.

    [..]

    Both the LM and NTLM protocols operate essentially the same way; the only difference is the password hash.

    REF: The Most Misunderstood Windows Security Setting of All Time



    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, April 30, 2015 10:49 AM
  • Agree, this will weaken security on your network. Anything modern uses Kerberos instead of LM / NTLM, NTLM was a Windows NT model of authenticating, Kerberos has been used since Active Directory came into use in Windows 2000.

    Sounds like they are being a typical developer, they cannot be bothered to change the way their application authenticates so they want to weaken the encryption on the domain. Ultimately if you are responsible for security on the domain then I would ask them to find a solution where their server / application uses Kerberos instead.

    Thursday, April 30, 2015 11:20 AM

All replies

  • Hi,

    you have a weaker domain security overall. "

    LM Hash Generation 

    The algorithm introduces several weaknesses that attackers can exploit. First, all lowercase characters are set to uppercase, reducing the number of possible characters. Second, it splits a long, strong, password into two seven-character chunks.

    [..]

    Both the LM and NTLM protocols operate essentially the same way; the only difference is the password hash.

    REF: The Most Misunderstood Windows Security Setting of All Time



    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, April 30, 2015 10:49 AM
  • Agree, this will weaken security on your network. Anything modern uses Kerberos instead of LM / NTLM, NTLM was a Windows NT model of authenticating, Kerberos has been used since Active Directory came into use in Windows 2000.

    Sounds like they are being a typical developer, they cannot be bothered to change the way their application authenticates so they want to weaken the encryption on the domain. Ultimately if you are responsible for security on the domain then I would ask them to find a solution where their server / application uses Kerberos instead.

    Thursday, April 30, 2015 11:20 AM
  • Thanks a lot for your inputs
    Monday, May 04, 2015 11:29 AM
  • Thanks a lot for your inputs, we have communicated same to project team and they are searching for alternate solution.
    Monday, May 04, 2015 11:29 AM