Security guidance for NTLMv1 and LM network authentication

Article translations Article translations
Article ID: 2793313 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

We are aware of detailed information and tools that might be used for attacks against NT LAN Manager version 1 (NTLMv1) and LAN Manager (LM) network authentication. Improvements in computer hardware and software algorithms have made these protocols vulnerable to published attacks for obtaining user credentials. The information and available toolsets specifically target environments that do not enforce NTLMv2 authentication. We strongly encourage customers to evaluate their environments and update network authentication settings. All supported Microsoft operating systems provide NTLMv2 authentication capabilities.

Systems that are affected in a default configuration are primarily at risk, such as systems that are running Microsoft Windows NT 4, Windows 2000, Windows XP, and Windows Server 2003. For example, by default, Windows XP and Windows Server 2003 both support NTLMv1 authentication. 

For Windows NT, two options are supported for challenge response authentication in network logons: LAN Manager (LM) challenge response and Windows NT challenge response (also known as NTLM version 1 challenge response). These both allow for interoperability with installed bases of Windows NT 4.0, Windows 95, Windows 98, and Windows 98 Second Edition. 


To have us fix this problem for you, go to the "Fix it for me" section.

Resolution

To reduce the risk of this issue, we recommend that you configure environments that run Windows NT 4, Windows 2000, Windows XP, and Windows Server 2003 to allow the use of NTLMv2 only. To do this, manually set the LAN Manager Authentication Level to 3 or higher as described here.

For Windows XP and Windows Server 2003, Microsoft Fix it solutions are available to automatically configure systems to allow the use of NTLMv2 only. This method also enables the NTLM settings for users to take advantage of Extended Protection for Authentication.

Fix it for me

The Fix it solution described in this section is not intended to be a replacement for any security update. We recommend that you always install the latest security updates. However, we offer this Fix it solution as a workaround option for some scenarios. 

Microsoft Fix it for Windows XP

To enable or disable this Fix it solution, click the Fix it button or link under the Enable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.
Collapse this tableExpand this table
Enable
Fix this problem
Microsoft Fix it 50969
Notes
  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.
Microsoft Fix it for Windows Server 2003

To enable or disable this Fix it solution, click the Fix it button or link under the Enable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.
Collapse this tableExpand this table
Enable
Fix this problem
Microsoft Fix it 50970
Notes
  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

FAQ

Is there more information about threats and countermeasures for Windows Network Security and the LAN Manager Authentication Level?

Detailed information about threats and countermeasures is available on Microsoft TechNet in the Threats and Countermeasures Guide. For more information about NTLM version configuration, see LmCompatibilityLevel.

What caused the issue?

Until January 2000, export restrictions limited the maximum key length for cryptographic protocols. The LM and NTLM authentication protocols were both developed before January 2000 and therefore were subject to these restrictions. When Windows XP was released, it was configured to ensure backward-compatibility with authentication environments designed for Windows 2000 and earlier. 

How do I investigate if my configuration is vulnerable?

You are affected by this issue if LMCompatibilityLevel registry settings are set to less than three (<3).

Which Windows operating systems are affected in default configurations? 

Windows NT4, Windows 2000, Windows XP, and Windows Server 2003 all have a default configuration value of LMCompatibilityLevel that is less than three (<3).

What are the potential risks of enforcing NTLMv2?

All supported versions of the Windows operating system support NTLMv2. Windows NT 4.0 SP6a also supports NTLMv2. Therefore, there is a very small compatibility risk. Third-party legacy implementations or configurations may have to be evaluated for any interoperability issues. A reconfiguration or upgrade may resolve this problem. Customers are strongly advised to take remedial steps to configure and upgrade their network to identify and phase out NTLMv1. Use of the NTLMv1 protocol has a definite, adverse effect on network security and may be compromised.

What might an attacker use the vulnerability to do?

An attacker could extract authentication hashes from captured LM and NTLM network authentication responses.

Where can I find information about how to enable NTLMv2 on versions of Microsoft Windows that are no longer in support? 

Detailed information about NTLMv2 for Windows NT, Windows 95, Windows 98, and Windows 98 Second Edition is available in Microsoft Knowledge Base Article 239869.

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:
  • Mark Gamache of T-Mobile USA for working with us to help protect customers from attacks against NTLMv1 (NT LAN Manager version 1) and LAN Manager (LM) network authentication

Properties

Article ID: 2793313 - Last Review: January 8, 2013 - Revision: 1.0
Applies to
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Service Pack 3, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Keywords: 
atdownload kbbug kbexpertiseinter kbfix kbsecbulletin kbsecurity kbsecvulnerability kbmsifixme kbfixme KB2793313

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com