Access Denied--Implementing NTLMv2 on Win2K, NT, and Win9x machines
Learn how to upgrade NT LAN Manager (NTLM) to NTLMv2 on your Win2K, NT, and Win9x machines.
November 25, 2001
Having read about the weaknesses in the NT LAN Manager (NTLM) authentication protocol in your Windows 2000 Magazine article "Protect Your Passwords," http://www.win2000mag.com, InstantDoc ID 3844, I want to upgrade to NTLMv2. I have a mix of Windows 2000, Windows NT, and Windows 9x computers. To prepare for the upgrade, I know that I need to install the most recent service pack on the NT computers, but where can I get the Active Directory (AD) client for Win9x computers that the article mentions?
You're right that whenever you use Win2K computers in an NT domain (or any NT or Win9x computers) to log on over the network, your logon uses the NTLM authentication protocol. NTLM is vulnerable to eavesdropping and subsequent attack with tools such as @stake's L0phtCrack. You can defeat such attacks by implementing NTLMv2. On Win2K, simply set LAN Manager Authentication Level under computer configurationwindows settingssecurity settingslocal policiessecurity options to Send NTLMv2 response only. On NT, you'll need Service Pack 4 (SP4) or later. Create a registry value LMCompatibilityLevel under HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetControl Lsa, and set the value to 3. On Win9x, you need to make the same registry change and install the Directory Services client, which you can find on your Win2K CD-ROM under Clients Win9x. You must install this client even if you don't use AD.
About the Author
You May Also Like