Send LM & NTLM – use NTLMv2 session security if negotiated

* Policy required ~ To make Vista-Biz, allow connections from XP-Pro computers, [Work-group environment] *

Search NTLMv2

HISTORICALLY-SPEAKING, … (In context of understanding how networking has evolved in Microsoft operating systems), .. QUOTE; “After you upgrade all computers that are based on Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT 4.0, you can greatly improve your organization’s security by configuring clients, servers, and domain controllers to use only NTLM 2 (not LM or NTLM)“.

POLICY-PROPERTIES; – (Has the following ‘explanation’)

* Policy required ~ To make Vista-Biz, allow connections from XP-Pro computers *

The policy details pasted below;
[as provided in the Vista-Biz secpol.msc]
Network security: LAN Manager authentication level

This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:

Send LM & NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send LM & NTLM – use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. [*arrrrrrgh, … use this one, ok*]

Challenge / Response sequence ~ Visit; www.blackhat.com/presentations/win-usa-02/urity-winsec02.ppt ~ for detailed power-point presentation

OTHER POLICIES (Selecting the appropriate one?)

Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).

Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).

Important

This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.

Default:

Send LM & NTLM responses on server.
Undefined on workstations.

***** [7:38 PM 3/07/2011] *****

Group Policy Settings Reference for Windows and Windows Server

Here is the url for a different take on the same problem ~ Unable to access Network share on MacOS X from Windows 7 ~

About grdanson

Maintainer and Administrator
This entry was posted in A+ 3652A (Hardware & Windows), Cert III Network Admin, Network, Security. Bookmark the permalink.

One Response to Send LM & NTLM – use NTLMv2 session security if negotiated

  1. test says:

    This is just a test

Leave a Reply

Your email address will not be published. Required fields are marked *

If you are human, count objects:
Enable this image please
I see:
- +
- +
- +
Ironclad CAPTCHA (Security Stronghold)