LM/NTLMv1 Retirement
Hosted by LSP Services
What is LM
LM stands for LAN Manager
Used by Windows 95, 98 ME, NT and is
now considered to be a legacy protocol
LM is an authentication protocol that uses
a particularly weak method of hashing a
user's password known as the LM hash
algorithm
What is NTLMv1
Abbreviation for “Windows NT LAN
Manager”
NTLM uses a challenge-response
mechanism for authentication
Clients are able to prove their identities
without sending a password to the server.
Retire Support for LM/NTLMv1
UITS will retire support for both LAN Manager
(LM) and NT LAN Manager Version 1 (NTLMv1)
authentication protocols by May 22, 2006.
After these protocols are disabled, the only
authentication protocols accepted by the ADS
Domain Controllers will be NTLMv2 and
Kerberos.
The protocols will not be blocked on the network
Why Retire LM and NTLMv1
Recent improvements in computer hardware and
software algorithms have made both LM and
NTLMv1 protocols vulnerable to widely published
attacks for obtaining user passwords
RainbowCrack
John the Ripper
Proactive Password Explorer
SAMInside
How will the Change be
Implemented
Two Policies will need to set the LM compatibility level to “NTLMv2
response only\refuse LM and NTLM” (Level 5).
The first policy to change will be the Default Domain policy. On
May 15th, 2006, the project team will set the LM compatibility
level to “NTLMv2 response only\refuse LM and NTLM” (Level 5).
This will change the default security setting on all Windows
workstations and servers in the ADS domain that receive the Default
Domain policy.
One week later, on May 22, 2006, the Default Domain
Controller Policy will be set to "NTLMv2 response only\refuse LM
and NTLM” (Level 5). This means that only NTLMv2 authentication
will be allowed in our domain. This will effectively disable
LM/NTLMv1 use by Windows systems connected to the ADS domain.
LM Compatibility Level
Level
Group Policy Name
Sends
Accepts
Prohibits
Sending
0
Send LM and NTLM
LM, NTLM
LM,NTLM,
NTLMv2
NTLMv2
1
Send LM and NTLM use
NTLMv2 session security
if negotiated
LM, NTLM
LM,NTLM,
NTLMv2
NTLMv2
2
Send NTLM response
only
NTLM
LM,NTLM,
NTLMv2
LM, NTLMv2
3
Send NTLMv2 response
only
NTLMv2
LM,NTLM,
NTLMv2
LM, NTLMv1
4
Send NTLMv2 response
only/refuse LM
NTLMv2
NTLM,
NTLMv2
LM
5
Send NTLMv2 response
only/refuse LM and
NTLM
NTLMv2
NTLMv2
LM NTLMv1
When do you use NTLM
Creating a new Outlook Profile
Accessing a resource on an Active Directory domain member using
an IP address rather than a host name
Accessing a resource on a windows computer that is not a member
of an Active Directory domain
Accessing any resource on a Windows-based computer from a
computer running Windows 9x or Windows NT 4.0
Accessing any resource on a Windows-based computer from thirdparty operating system or application that does not support
Kerberos
Other Common Authentication
Methods
Basic Authentication
– Webpage Authentication (over SSL)
– Entourage
Kerberos Authentication
– CAS
– Webmail
– Windows Domain Logon (IU.EDU)
– File Shares (SMB) using DNS Host Name
– Outlook 2003 to Exchange 2003
Known Issues
Local machine account access could fail after May 15th
Understanding how Outlook works with NTLMv2
Unattended Setup of XP will fail to join the domain if SP2 is not
slipstreamed
A user is not successfully authenticated when NTLMv2 authentication is
used on a Windows Server 2003-based IAS server
Windows machines that do not receive the default domain policy may not
be able to access resources that require NTLMv2 authentication
OS X version 10.3 does not support NTLMv2
Windows 9x/Me computers will be unable to authenticate to the ADS
domain
Outlook 2001 does not support NTLMv2 and will no longer be usable
Clustered computers running versions of Windows prior to Windows Server
2003 Service Pack 1 will break
Windows NT 4.0 and support status
Versions of Samba prior to 3.0.21 will not support NTLMv2
Understanding How Outlook
Works with NTLMv2
How Will Outlook 2001 be Affected by This
Change?
– Outlook 2001 will no longer be useable
Use Entourage as a replacement
– Basic Authentication over SSL
Use Outlook Web Access
– Basic Authentication over SSL
Understanding How Outlook
Works with NTLMv2
How will Outlook XP/2002 and 2003 be
Affected by this Change?
Create a new Profile
Log into a Profile
Outlook 2003
No
Yes
Outlook XP/2002
No
No
OS X version 10.3 does not
support NTLMv2
Used to access SMB Shares and more
Can force OS X to use Kerberos when
authenticating to an SMB share see document:
http://kb.iu.edu/data/atse.html
Microsoft User Authentication Module (UAM)
10.1 will support NTLMv2
Local Machine Account
Local machine account access could fail after
May 15th
– Change the LM Compatibility level on the client
machine
How can I use the local security settings to force NTLMv2?
– Change the LM Compatibility level on the client server
How can I use a GPO to force NTLMv2?
How do I override settings in the Default Domain Policy for
my OU?
IUB and IUPUI VPN Access
Client Machines us MSCHAPv2 to communicate to the VPN server
The VPN Server communicates using NTLMv2 to a ADS Domain
Controller
Note MSCHAP does break in a NTLMv2 only Environment
Client Machine
VPN
VPN
ADS DC
Who Could be Affected by this
Change
Machines that are not part of the ADS domain
will not receive the Default Domain Policy and
will not have their LM Compatibility Level set to
5. This includes home and laptop computers.
Machines located in an OU that is blocking the
Default Domain Policy will not have their LM
Compatibility Level set to 5.
Third-party operating system or application
IU Windows Authentication Update
The IU Windows Authentication Update
will configure your Windows 2000 (or
higher) computer to disable insecure LM
(LanManager) and NTLMv1 authentication
protocols
IUWare does use CAS for Authentication
Request a Testing OU
UITS Messaging has set up a test domain
(mssgtest.iu.edu) with both LM and
NTLMv1 protocols disabled
We strongly encourage you to leverage
this domain to test how your applications
and services will behave in an NTLMv2
only environment
Thank You!
Questions?
Conatact Info:
lsps@iu.edu
More Information:
https://lsps.iu.edu