(ignore this)
What is the defualt LAN Manager authentication level for Windows servers 2008 and later
Hi,
Hope all is well!
I am currently doing some vulnerability management and noticed that the lmcompatibilitylevel was missing in the regkey path:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
But after some investigation and I read for example:
Operating system version differences
In Windows Server 2003, the Default Domain Controllers Policy was Send NTLM response only, which changed to Not defined in later versions.
In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the default is Send NTLMv2 response only.
But in the banner of the document it mentions that document is EOL. So I found the following document:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
Which seems to be an updated version, but under "applies to" it only mentions Windows 10. Is there a document for Windows Servers 2008 R2 and later?
Based on the first document I would assume servers 2008 R2 and later would use Send NTLMv2 authentication only (Level 3) by default.
But going back to my original question what is the default level Network security: LAN Manager authentication level when lmcompatibilitylevel is missing for Windows Servers running 2008 or later.
FYI, when using the link https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852207(v=ws.11), You will need to add the last ) manually...
Thank you in advance
Best regards,
Vilhelm Olow
Windows for business | Windows Server | Devices and deployment | Configure application groups
3 answers
Sort by: Most helpful
-
-
Limitless Technology 44,766 Reputation points
2022-11-23T15:12:07.09+00:00 Hi,
Thank you for your question and reaching out.
I understand that you're missing the LMcompatibilityLevel key in registry. If it is missing, you can simply create it so you can assign the value needed for doing vulnerability management on your device. To do so,
Please click on your Start menu and type Command prompt then right-click on it and select Run as administrator. Once the command prompt window is opened, copy and paste the command below then hit on Enter. This should automatically add the LMcompatibilityLevel key in registry.
reg.exe add HKLM\System\CurrentControlSet\Control\Lsa\ /v LmCompatibilityLevel /t REG_DWORD /d 1 /f
Restart the device then check your registry again. LmCompatibilityLevel key should already be visible. If yes, you may proceed with doing the vulnerability management on your device.
---------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
-
John Busch 0 Reputation points
2023-01-24T08:30:47.2833333+00:00 The default level value for LmCompatibilityLevel for each version of Windows is as follows:
Windows XP: 0 Windows 2003: 2 Vista/2008 3 Win7/2008 R2 3
Source: Microsoft employee: