Enabling NTLMv2 Authentication

Windows computers not joined to a domain use an authentication protocol called LAN Manager Authentication when attempting to connect to remote machines. LAN Manager authentication has been used in all versions of all Windows operating systems. As a result, there now exists a number of variants of the protocol.

The oldest (and weakest) of these is simply called LAN Manager, or LM Authentication. It is used by default in Windows 95, 98 and ME and is extremely insecure.

As a result of this insecurity, Microsoft introduced a new version of LAN Manager with the advent of Windows NT, known as NT LAN Manager, or NTLM. Although much better than its predecessor, this version still had some security issues associated with it and Microsoft again reworked the protocol, releasing NT LAN Manager version 2 (or NTLMv2) with Service Pack 4 for NT.

Due to the insecurity of these previous versions, the IMSS has chosen to enforce the use of NTLMv2 when connecting to its servers. All Windows clients will need to turn on the use of NTLMv2 in order to connect to the IMSS Windows servers. In addition, Macintosh clients wishing to connect to the IMSS Windows servers will also need to use NTLMv2 authentication. Please follow the instructions found in our Connecting to IMSS Servers from Macintosh Computers web page.

We have detailed instructions for enabling NTLMv2 on all of the major versions of the Windows operating system that can connect to IMSS Windows servers. Please note that the instructions are different for Windows XP Home and Windows XP Professional.

Please Note: By following the instructions in these guides, you will be changing your Windows clients to only use NTLMv2 authentication and refuse everything else. In changing to this highest level of security, you may have difficulty connecting to other Windows machines that have not had the equivalent change made. If you regularly connect to other Windows systems you should either follow the instructions to enable NTLMv2 on them too (where possible) or, alternatively, experiment with a lower setting of the LAN Manager Authentication Level. Due to the insecurity of the LM hash in particular, IMSS strongly recommends enabling NTLMv2 on each of your Windows machines or, failing that, choosing the highest LAN Manager Authentication level possible.

If you have any questions about this, please contact the IMSS Help Desk at http://help.caltech.edu (request type IMSS-->Desktop Support-->Other)or x3500.