Yes, with level 3 domain controllers accept LM, NTLM, and NTLMv2 authentication. Please don't forget to close up the thread here by marking answer if the reply is helpful.
Restrict the use of NTLMv1 and only allow NTLMv2, but permit NTLMv1 if the client or server does not support NTLMv2
Hi,
We want to restrict the use of NTLMv1 and only allow NTLMv2, but permit NTLMv1 if the client or server does not support NTLMv2, allowing for fallback to NTLMv1 when necessary.
In summary, the requirements are as follows:
-NTLMv2 - Allowed.
-NTLMv1 - Allowed only if NTLMv2 is not supported.
-LM - Blocked.
-Domain Controller - Should accept only NTLM and NTLMv2 authentication.
We aim to implement these requirements using the below GPO settings. What would be the ideal GPO setting to meet these requirements?
Setting number 5 appears to be quite restrictive, but it's unclear whether it will fallback to NTLMv1 if NTLMv2 is not supported.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
- "Send LM & NTLM responses" - Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
2)"Send LM & NTLM – use NTLMv2 session security if negotiated" - Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
3)"Send NTLM response only" - Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
4)"Send NTLMv2 response only" - Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
5)"Send NTLMv2 response only. Refuse LM" - Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.
6)"Send NTLMv2 response only. Refuse LM & NTLM" - Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.
Thanks much.
Regards,
Raj
1 additional answer
Sort by: Most helpful
-
Anonymous
2023-09-27T17:04:30.3533333+00:00 Sounds like you'll want level 3
Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
--please don't forget to close up the thread here by marking answer if the reply is helpful--