1,922 questions
(ignore this)
What is the defualt LAN Manager authentication level for Windows servers 2008 and later
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 89%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVO%3C/text%3E%3C/svg%3E)
Vilhelm Olow
6
Reputation points
Hi,
Hope all is well!
I am currently doing some vulnerability management and noticed that the lmcompatibilitylevel was missing in the regkey path:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
But after some investigation and I read for example:
Operating system version differences
In Windows Server 2003, the Default Domain Controllers Policy was Send NTLM response only, which changed to Not defined in later versions.
In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the default is Send NTLMv2 response only.
But in the banner of the document it mentions that document is EOL. So I found the following document:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
Which seems to be an updated version, but under "applies to" it only mentions Windows 10. Is there a document for Windows Servers 2008 R2 and later?
Based on the first document I would assume servers 2008 R2 and later would use Send NTLMv2 authentication only (Level 3) by default.
But going back to my original question what is the default level Network security: LAN Manager authentication level when lmcompatibilitylevel is missing for Windows Servers running 2008 or later.
FYI, when using the link https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852207(v=ws.11), You will need to add the last ) manually...
Thank you in advance
Best regards,
Vilhelm Olow
Windows for business | Windows Server | Devices and deployment | Configure application groups
3 answers
Sort by: Most helpful
-
Vilhelm Olow 6 Reputation points
2023-01-31T10:57:00.84+00:00 -
Vilhelm Olow 6 Reputation points
2023-01-31T10:59:47.1966667+00:00 Can't delete comments I created by accident...
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 44,766 Reputation points2022-11-23T15:12:07.09+00:00 Hi,
Thank you for your question and reaching out.
I understand that you're missing the LMcompatibilityLevel key in registry. If it is missing, you can simply create it so you can assign the value needed for doing vulnerability management on your device. To do so,
Please click on your Start menu and type Command prompt then right-click on it and select Run as administrator. Once the command prompt window is opened, copy and paste the command below then hit on Enter. This should automatically add the LMcompatibilityLevel key in registry.
reg.exe add HKLM\System\CurrentControlSet\Control\Lsa\ /v LmCompatibilityLevel /t REG_DWORD /d 1 /f
Restart the device then check your registry again. LmCompatibilityLevel key should already be visible. If yes, you may proceed with doing the vulnerability management on your device.
---------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
-
Vilhelm Olow 6 Reputation points
2022-11-24T08:05:04.15+00:00 Hi!
Thank you for the information appreciate it.
But the response don't really answers my question. Will try and make it more clear below:According to https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level for example it is mentioned under vulnerability section:
"In Windows 7 and Windows Vista, this setting is undefined. In Windows Server 2008 R2 and later, this setting is configured to Send NTLMv2 responses only." Is this true to Windows Server 2012. 2016. 2019 and 2022 as well.
Which means the default value is Level 3 or am I incorrect?So in short, what is the default level when the regkey is missing.
Hope this makes my question a bit more clear and thank you in advance!
Best regards,
Vilhelm Olow
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 59%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
John Busch 0 Reputation points2023-01-24T08:30:47.2833333+00:00 The default level value for LmCompatibilityLevel for each version of Windows is as follows:
Windows XP: 0 Windows 2003: 2 Vista/2008 3 Win7/2008 R2 3
Source: Microsoft employee:
-
Vilhelm Olow 6 Reputation points
2023-01-31T10:50:42.8166667+00:00 Hi John,
Thank you for the response and help.
That answers half of my question, I was able to find this information as well. But everywhere I read and try to find information the latest version mentioned is always 2008 R2. But what about server 2012 and later, these versions are never mentioned what I have been able to read at least. Should I just assume Server 2012 and later follow the same rule and undefined is equal to level 3. Would be great if you or someone have read it written down for the later versions of Windows servers and could share that, so we don't automatically assume how it works.
Best regards,
Vilhelm Olow
Sign in to comment -