Configuring Servers to Use NTLMv2

How important is it to configure servers to use NTLMv2 for authentication?

Configuring servers to use NTLMv2 is of medium to high importance, depending on your environment. Windows uses the Kerberos authentication protocol by default. However, Windows uses NT LAN Manager (NTLM) or NTLMv2 when Kerberos isn't available, which can be the case if you have users that use local accounts instead of domain accounts, log on to computers outside your domain, or use an OS that doesn't support Kerberos.

NTLMv2 provides better protection than NTLM by making it more difficult to crack any challenge and response data gleaned from authentication packets traveling over the network. To capture those packets, an attacker has to trick the network switch into forwarding packets to his or her computer, which requires either physical access to the network or remote control of a computer on the network. Sniffing packets on a modern, fully switched network is more difficult than on older, hub-based networks. For an attacker who successfully captures authentication traffic, cracking NTLMv2 challenge/response pairs is more difficult than cracking NTLM. However, weak passwords are easily cracked no matter what protocol you use—even Kerberos.

To force systems to use NTLMv2 rather than NTLM and reject any computer that attempts lower-level authentication, you can open Group Policy Management Console (GPMC), select a Group Policy Object (GPO) that's applied to all the computers on your network, navigate to Computer ConfigurationWindowsSettingsSecurity SettingsLocal PoliciesSecurity Options, and set the Network security: LAN Manager authentication level field to Send NTLMv2 response only/refuse LM & NTLM.