Restrict the use of NTLMv1 and only allow NTLMv2, but permit NTLMv1 if the client or server does not support NTLMv2

raj a 316 Reputation points
2023-09-27T16:59:35.2933333+00:00

Hi,

We want to restrict the use of NTLMv1 and only allow NTLMv2, but permit NTLMv1 if the client or server does not support NTLMv2, allowing for fallback to NTLMv1 when necessary.

In summary, the requirements are as follows:

-NTLMv2 - Allowed.

-NTLMv1 - Allowed only if NTLMv2 is not supported.

-LM - Blocked.

-Domain Controller - Should accept only NTLM and NTLMv2 authentication.

We aim to implement these requirements using the below GPO settings. What would be the ideal GPO setting to meet these requirements?

Setting number 5 appears to be quite restrictive, but it's unclear whether it will fallback to NTLMv1 if NTLMv2 is not supported.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

  1. "Send LM & NTLM responses" - Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2)"Send LM & NTLM – use NTLMv2 session security if negotiated" - Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

3)"Send NTLM response only" - Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4)"Send NTLMv2 response only" - Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

5)"Send NTLMv2 response only. Refuse LM" - Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.

6)"Send NTLMv2 response only. Refuse LM & NTLM" - Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.

Thanks much.

Regards,

Raj

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,073 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2023-09-27T17:41:31.8966667+00:00

    Yes, with level 3 domain controllers accept LM, NTLM, and NTLMv2 authentication. Please don't forget to close up the thread here by marking answer if the reply is helpful.


1 additional answer

Sort by: Most helpful
  1. Anonymous
    2023-09-27T17:04:30.3533333+00:00

    Sounds like you'll want level 3

    Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level#possible-values

    --please don't forget to close up the thread here by marking answer if the reply is helpful--


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.