NT Gatekeeper: Enabling NTLMv2 on Windows NT 4.0 Workstations

The Windows NT LAN Manager (NTLM) authentication protocol is available in version 1 and version 2. How can I make sure that only NTLMv2—the more secure version—is enabled on my NT 4.0 workstations?

NT 4.0 has supported NTLMv2 natively since Microsoft released Service Pack 4 (SP4). NTLMv2 isn't available in earlier NT 4.0 releases and service packs. The NTLM version that NT 4.0 workstations use is also influenced by the value of the LMCompatibilityLevel registry subkey, which is in the HKEY_LOCAL_MACHINESYSTEM CurrentControlSetControlLsa registry subkey.

Table 1 shows the possible values of the LMCompatibilityLevel subkey. To make sure that your NT 4.0 workstations can use NTLMv2, set the LMCompatibilityLevel to values 1, 2, 3, 4, or 5. Note that setting values 3 or 5 can make authentication fail if the server the workstation is authenticating to doesn't support NTLMv2.

The availability of the NTLMv2 authentication protocol on a Windows platform doesn't mean that NTLMv1 is no longer available. In fact, the two authentication protocols can coexist, and earlier (pre­NT 4.0 SP4) Windows clients can still use NTLMv1 (unless you have the LMCompatibilityLevel value set to 5 on all your servers). For more information about how to fine-tune the NTLM authentication protocol, see the Microsoft article "How to Enable NTLM 2 Authentication" (http://support.microsoft.com/?kbid=239869).