Enabling NTLMv2 on Windows NT Server 4.0 Computers

Please note: These instructions are based on a computer running the latest service pack, Windows NT 4.0 Service Pack 6a. This software can be downloaded directly from Microsoft's Website.

In order to enable NTLMv2 on a Windows NT Server 4.0 computer, you will need to make a few changes to the Registry.

Warning: Before you attempt to make any changes to the registry, please back it up and make sure you know how to restore if there is a problem afterward. See Microsoft's Knowledge Base article - 323170 - How To Backup, Edit, and Restore the Registry in Windows NT 4.0.

  1. Select the "Start Menu" and then select "Run...".

  2. In the "Run..." dialog box, type regedt32, then click the OK button to open the Registry Editor.

  3. The Registry Editor will open.

  4. Select the HKEY_LOCAL_MACHINE on Local Machine window, and then maximize the window for easier viewing.

  5. In the left hand window, expand "HKEY_LOCAL_MACHINE".

  6. In the left hand window, expand "SYSTEM".

  7. In the left hand window, expand "CurrentControlSet".

  8. In the left hand window, expand "Control".

  9. In the left hand window, expand "Lsa".

  10. Create the "LMCompatibilityLevel" registry DWORD Value for the Lsa key, by selecting the "Lsa" key, clicking on the Edit menu, and then select the Add Value... option.

  11. You will be presented with the "Add Value" dialog box.

  12. In the Add Value dialog box, in the Value Name: field, type "LMCompatibilityLevel" (without the quotes).

  13. In the Add Value dialog box, in the Data Type: field, select "REG_DWORD" value from the pull-down menu, and then click the OK button.

  14. You will be presented with the "DWORD Editor" dialog box.

  15. In the "DWORD Editor" dialog box, change Data: field to "5", make sure that "Hexadecimal" radio button is chosen for the Radix section, and then click the OK button.

  16. In the right hand window, the "LMCompatibilityLevel" setting should reflect the new value and the setting.

  17. Exit the Registry Editor by clicking on the Registry menu, and then select Exit.

  18. Please restart your computer.

Please Note: By following the instructions in these guides, you will be changing your Windows clients to only use NTLMv2 authentication and refuse everything else. In changing to this highest level of security, you may have difficulty connecting to other Windows machines that have not had the equivalent change made. If you regularly connect to other Windows systems you should either follow the instructions to enable NTLMv2 on them too (where possible) or, alternatively, experiment with a lower setting of the LAN Manager Authentication Level. Due to the insecurity of the LM hash in particular, IMSS strongly recommends enabling NTLMv2 on each of your Windows machines or, failing that, choosing the highest LAN Manager Authentication level possible.