Answered by:
What is the default level setting for NTLMv2 for different Windows editions?

Question
-
It seems to me that NTLMv2 is integrated since NT4.0 sp4 or Windows 2000.(http://support.microsoft.com/kb/239869)
And there are 0-4 level 5 for NTLMv2.
Does it mean that in Windows xp, 2003, vista and windows 2008, only NTLMv2 is supported?
If it is the case, what level value is used by default for each of windows editions above?
Thanks in advance.
Hama
Hama
Answers
-
Hi Hama:
We have finished our investigation on your question regarding the default value of LmCompatibiltyLevel. Please find the answers to your questions as follows:
Question: Does it mean that in Windows xp, 2003, vista and windows 2008, only NTLMv2 is supported?
Answer: No. All the versions of Windows are backward compatible with LanMan and NTLMv1. The purpose of LmCompatibilityLevel is to set the minimum security standard. Section “<66> Section 5.1” of MS-NLMP explains what the minimum standard would be depending upon what is set in the registry for LmCompatibilityLevel. You can access MS-NLMP document at the following link:
http://msdn.microsoft.com/en-us/library/cc236621.aspx
Question: If it is the case, what level value is used by default for each of windows editions above?
Answer: The default level value for LmCompatibilityLevel for each version of Windows is as follows:
Windows XP: 0
Windows 2003: 2
Vista/2008 3
Win7/2008 R2 3
Please let me know if it answers your questions. If yes, I’ll consider this issue resolved.
Regards, Obaid Farooqi- Marked as answer by Obaid FarooqiMicrosoft employee, Owner Friday, March 19, 2010 4:14 PM
-
Hi Willhud:
LmCompatbilityLevel is used to dictate the version of NTLM and related features. The meaning of LmCompatibiltiyLevel is different for a DC and for a client. The details, as I pointed out in my previous reply, are documented in MS-NLMP.
I am assuming by “Windows 2008 Server”, you mean Windows Server 2008 R2. As the KB article mentioned by you explains, Windows Server 2008 can join an NT 4 domain by creating a machine account before joining the domain.
As for support for level 0, a simple test will confirm that when Windows 7 client (same as Windows Server 2008 R2 in this respect) is set to Level 0, it uses NTLMv1 to authenticate when accessing a share.
Also, although the default level for Windows 7/Windows Server 2008 R2 is 3, if a client returns an NTLMv1 authenticate message, Windows 7/Windows Server 2008 R2 authenticate successfully if credentials are correct.
Regards, Obaid Farooqi- Marked as answer by Obaid FarooqiMicrosoft employee, Owner Friday, April 9, 2010 8:50 PM
All replies
-
-
Hi Hama:
We have finished our investigation on your question regarding the default value of LmCompatibiltyLevel. Please find the answers to your questions as follows:
Question: Does it mean that in Windows xp, 2003, vista and windows 2008, only NTLMv2 is supported?
Answer: No. All the versions of Windows are backward compatible with LanMan and NTLMv1. The purpose of LmCompatibilityLevel is to set the minimum security standard. Section “<66> Section 5.1” of MS-NLMP explains what the minimum standard would be depending upon what is set in the registry for LmCompatibilityLevel. You can access MS-NLMP document at the following link:
http://msdn.microsoft.com/en-us/library/cc236621.aspx
Question: If it is the case, what level value is used by default for each of windows editions above?
Answer: The default level value for LmCompatibilityLevel for each version of Windows is as follows:
Windows XP: 0
Windows 2003: 2
Vista/2008 3
Win7/2008 R2 3
Please let me know if it answers your questions. If yes, I’ll consider this issue resolved.
Regards, Obaid Farooqi- Marked as answer by Obaid FarooqiMicrosoft employee, Owner Friday, March 19, 2010 4:14 PM
-
-
Question, if the LMcompatibilitylevel is backward compatible for all versions, then why can you not put a Windows 2008 machine onto a Windows NT 4.0 Domain? What is keeping that from working?
Such as is discussed here. The document doesn't say why changing the LMCOMPATIBILITYLEVEL doesn't work.
http://support.microsoft.com/kb/940268
I was trying to add a Windows 2008 Server to our NT 4.0 Domain and this is what I kept running into. Under Windows 2003, you could change that setting and still make it join the domain.
-
-
Hi Willhud:
LmCompatbilityLevel is used to dictate the version of NTLM and related features. The meaning of LmCompatibiltiyLevel is different for a DC and for a client. The details, as I pointed out in my previous reply, are documented in MS-NLMP.
I am assuming by “Windows 2008 Server”, you mean Windows Server 2008 R2. As the KB article mentioned by you explains, Windows Server 2008 can join an NT 4 domain by creating a machine account before joining the domain.
As for support for level 0, a simple test will confirm that when Windows 7 client (same as Windows Server 2008 R2 in this respect) is set to Level 0, it uses NTLMv1 to authenticate when accessing a share.
Also, although the default level for Windows 7/Windows Server 2008 R2 is 3, if a client returns an NTLMv1 authenticate message, Windows 7/Windows Server 2008 R2 authenticate successfully if credentials are correct.
Regards, Obaid Farooqi- Marked as answer by Obaid FarooqiMicrosoft employee, Owner Friday, April 9, 2010 8:50 PM
-
-
-
Hi eng_mahmoud,
The purpose of this forum is to support the Open Specifications documentation. You can read about the Microsoft Open Specifications program here,http://www.microsoft.com/openspecifications/en/us/default.aspx
The library of Open Specification documents is located here, http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx
Your question may be more applicable to this forum, http://social.technet.microsoft.com/Forums/en-US/winserverfiles/threadsThanks and regards,
Sebastian
SEBASTIAN CANEVARI - MSFT Escalation Engineer Protocol Documentation Team