none
NTLMv2 in Windows 2008 active or not?

    Question

  • I have a Windows 2008 R2 member server which has no settings configured for NTLM.

    When I open the local group policy I see that the setting "Network security: LAN Manager authentication level" is "Not Defined"

    If I take a look at the registry location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    I see that there is no LMCompatibilitysetting present.

    What I want to know is how can I see if there are any NTLM settings active? Microsoft says that in Windows 2008 (r2) by default "NTLMv2 Response only" is active (LMcompatibilitysetting 3)

    If we look in Windows 2012 r2 we see also that this settings is configured as "Not Defined"

    Friday, May 01, 2015 7:16 AM

Answers

  • Ok, but why doesn't it show in the register: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    It only adds an entry when I make a choice for NTLM version in the local group policy

    If I do that it adds: LMCompatibilitysetting

    How can we see that it actually uses NTLMv2?

    Windows, and probably almost all modern computer software too, has defaults coded within the programs.

    These defaults apply even if the settings to set alternate/optional values don't exist. This is a very common practise in modern programming.

    In this example, LSA and the related lsass.exe will operate in default mode when the registry setting is absent.

    There is no value (to the program) to have the default setting recorded in registry - the program doesn't need that, and, to have every default setting recorded in registry is wasteful (increases the size of the registry while delivering no benefit to the program).

    It's a separate matter to determine/confirm the actual NTLM methods in use. To do that, you probably need to perform network traffic capture and analysis (e.g. with MSFT NetMon, or Wireshark [formerly known as Ethereal] and examine the packets captured)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, May 01, 2015 10:14 AM
  • I have a Windows 2008 R2 member server which has no settings configured for NTLM.

    When I open the local group policy I see that the setting "Network security: LAN Manager authentication level" is "Not Defined"

    If I take a look at the registry location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    I see that there is no LMCompatibilitysetting present.

    What I want to know is how can I see if there are any NTLM settings active? Microsoft says that in Windows 2008 (r2) by default "NTLMv2 Response only" is active (LMcompatibilitysetting 3)

    If we look in Windows 2012 r2 we see also that this settings is configured as "Not Defined"

    In Group Policy, "Not Defined" = "use the defaults".

    So, for this setting, when "Not Defined", the default of NTLMv2 applies for WS2008R2.

    [extracted from the Explain Text in gpedit on Win8.1]

    Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, May 01, 2015 8:28 AM
  • more reading (although it's an old article)
    https://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, May 01, 2015 8:32 AM

All replies

  • I have a Windows 2008 R2 member server which has no settings configured for NTLM.

    When I open the local group policy I see that the setting "Network security: LAN Manager authentication level" is "Not Defined"

    If I take a look at the registry location: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    I see that there is no LMCompatibilitysetting present.

    What I want to know is how can I see if there are any NTLM settings active? Microsoft says that in Windows 2008 (r2) by default "NTLMv2 Response only" is active (LMcompatibilitysetting 3)

    If we look in Windows 2012 r2 we see also that this settings is configured as "Not Defined"

    In Group Policy, "Not Defined" = "use the defaults".

    So, for this setting, when "Not Defined", the default of NTLMv2 applies for WS2008R2.

    [extracted from the Explain Text in gpedit on Win8.1]

    Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, May 01, 2015 8:28 AM
  • more reading (although it's an old article)
    https://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, May 01, 2015 8:32 AM
  • Ok, but why doesn't it show in the register: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    It only adds an entry when I make a choice for NTLM version in the local group policy

    If I do that it adds: LMCompatibilitysetting

    How can we see that it actually uses NTLMv2?

    Friday, May 01, 2015 9:26 AM
  • Ok, but why doesn't it show in the register: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    It only adds an entry when I make a choice for NTLM version in the local group policy

    If I do that it adds: LMCompatibilitysetting

    How can we see that it actually uses NTLMv2?

    Windows, and probably almost all modern computer software too, has defaults coded within the programs.

    These defaults apply even if the settings to set alternate/optional values don't exist. This is a very common practise in modern programming.

    In this example, LSA and the related lsass.exe will operate in default mode when the registry setting is absent.

    There is no value (to the program) to have the default setting recorded in registry - the program doesn't need that, and, to have every default setting recorded in registry is wasteful (increases the size of the registry while delivering no benefit to the program).

    It's a separate matter to determine/confirm the actual NTLM methods in use. To do that, you probably need to perform network traffic capture and analysis (e.g. with MSFT NetMon, or Wireshark [formerly known as Ethereal] and examine the packets captured)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, May 01, 2015 10:14 AM
  • Hi,

    I agree with Don. If you need further help regarding the question, please don't hesitate to let us know.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 05, 2015 9:00 AM
    Moderator