1

I'd like to apply LmCompatibilityLevel = 5 to my domain but I am not sure if this is to be applied to all clients (via GPO), domain controllers only or to both. I am a little confused as the TechNet description states that this option is to have the Domain controller refuse certain authentication responses.

From TechNet:

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

totalfreakingnoob
  • 145
  • 1
  • 6

1 Answers1

1

Typically the same value is configured on all Windows computers. The objective is to prevent any and all usages of NTLM1 due to the severity of the security risk. If a client transmits an NTLM1 hash over the network, it may be intercepted and easily cracked compared to NTLM2, depending on the length/complexity of the password. This is a common tactic used by attackers in man-in-the-middle attacks during the recon phase of an incursion. So you don't want NTLM1 anywhere in your environment.

The setting behaves differently depending if the computer is performing a client or server function. Any Windows computer (workstation, member server, or domain controller) can perform both.

Highly recommended to have a backout planned as a contingency. Assessing NTLM1 usage and impact is notoriously difficult, especially if you have a large, heterogeneous environment with a lot of crusty old legacy systems.

The Most Misunderstood Windows Security Setting of All Time
https://technet.microsoft.com/en-us/library/2006.08.securitywatch.aspx

Greg Askew
  • 35,880
  • 5
  • 54
  • 82