LM/NTLMv1 Retirement
Hosted by LSP Services
What is LM

LM stands for LAN Manager

Used by Windows 95, 98 ME, NT and is
now considered to be a legacy protocol

LM is an authentication protocol that uses
a particularly weak method of hashing a
user's password known as the LM hash
algorithm
What is NTLMv1

Abbreviation for “Windows NT LAN
Manager”

NTLM uses a challenge-response
mechanism for authentication

Clients are able to prove their identities
without sending a password to the server.
Retire Support for LM/NTLMv1

UITS will retire support for both LAN Manager
(LM) and NT LAN Manager Version 1 (NTLMv1)
authentication protocols by May 22, 2006.

After these protocols are disabled, the only
authentication protocols accepted by the ADS
Domain Controllers will be NTLMv2 and
Kerberos.

The protocols will not be blocked on the network
Why Retire LM and NTLMv1
Recent improvements in computer hardware and
software algorithms have made both LM and
NTLMv1 protocols vulnerable to widely published
attacks for obtaining user passwords
RainbowCrack
 John the Ripper
 Proactive Password Explorer
 SAMInside

How will the Change be
Implemented

Two Policies will need to set the LM compatibility level to “NTLMv2
response only\refuse LM and NTLM” (Level 5).

The first policy to change will be the Default Domain policy. On
May 15th, 2006, the project team will set the LM compatibility
level to “NTLMv2 response only\refuse LM and NTLM” (Level 5).
This will change the default security setting on all Windows
workstations and servers in the ADS domain that receive the Default
Domain policy.

One week later, on May 22, 2006, the Default Domain
Controller Policy will be set to "NTLMv2 response only\refuse LM
and NTLM” (Level 5). This means that only NTLMv2 authentication
will be allowed in our domain. This will effectively disable
LM/NTLMv1 use by Windows systems connected to the ADS domain.
LM Compatibility Level
Level
Group Policy Name
Sends
Accepts
Prohibits
Sending
0
Send LM and NTLM
LM, NTLM
LM,NTLM,
NTLMv2
NTLMv2
1
Send LM and NTLM use
NTLMv2 session security
if negotiated
LM, NTLM
LM,NTLM,
NTLMv2
NTLMv2
2
Send NTLM response
only
NTLM
LM,NTLM,
NTLMv2
LM, NTLMv2
3
Send NTLMv2 response
only
NTLMv2
LM,NTLM,
NTLMv2
LM, NTLMv1
4
Send NTLMv2 response
only/refuse LM
NTLMv2
NTLM,
NTLMv2
LM
5
Send NTLMv2 response
only/refuse LM and
NTLM
NTLMv2
NTLMv2
LM NTLMv1
When do you use NTLM

Creating a new Outlook Profile

Accessing a resource on an Active Directory domain member using
an IP address rather than a host name

Accessing a resource on a windows computer that is not a member
of an Active Directory domain

Accessing any resource on a Windows-based computer from a
computer running Windows 9x or Windows NT 4.0

Accessing any resource on a Windows-based computer from thirdparty operating system or application that does not support
Kerberos
Other Common Authentication
Methods

Basic Authentication
– Webpage Authentication (over SSL)
– Entourage

Kerberos Authentication
– CAS
– Webmail
– Windows Domain Logon (IU.EDU)
– File Shares (SMB) using DNS Host Name
– Outlook 2003 to Exchange 2003
Known Issues











Local machine account access could fail after May 15th
Understanding how Outlook works with NTLMv2
Unattended Setup of XP will fail to join the domain if SP2 is not
slipstreamed
A user is not successfully authenticated when NTLMv2 authentication is
used on a Windows Server 2003-based IAS server
Windows machines that do not receive the default domain policy may not
be able to access resources that require NTLMv2 authentication
OS X version 10.3 does not support NTLMv2
Windows 9x/Me computers will be unable to authenticate to the ADS
domain
Outlook 2001 does not support NTLMv2 and will no longer be usable
Clustered computers running versions of Windows prior to Windows Server
2003 Service Pack 1 will break
Windows NT 4.0 and support status
Versions of Samba prior to 3.0.21 will not support NTLMv2
Understanding How Outlook
Works with NTLMv2

How Will Outlook 2001 be Affected by This
Change?
– Outlook 2001 will no longer be useable

Use Entourage as a replacement
– Basic Authentication over SSL

Use Outlook Web Access
– Basic Authentication over SSL
Understanding How Outlook
Works with NTLMv2

How will Outlook XP/2002 and 2003 be
Affected by this Change?
Create a new Profile
Log into a Profile
Outlook 2003
No
Yes
Outlook XP/2002
No
No
OS X version 10.3 does not
support NTLMv2

Used to access SMB Shares and more
Can force OS X to use Kerberos when
authenticating to an SMB share see document:
http://kb.iu.edu/data/atse.html


Microsoft User Authentication Module (UAM)
10.1 will support NTLMv2
Local Machine Account

Local machine account access could fail after
May 15th
– Change the LM Compatibility level on the client
machine
 How can I use the local security settings to force NTLMv2?
– Change the LM Compatibility level on the client server
 How can I use a GPO to force NTLMv2?
 How do I override settings in the Default Domain Policy for
my OU?
IUB and IUPUI VPN Access

Client Machines us MSCHAPv2 to communicate to the VPN server

The VPN Server communicates using NTLMv2 to a ADS Domain
Controller

Note MSCHAP does break in a NTLMv2 only Environment
Client Machine
VPN
VPN
ADS DC
Who Could be Affected by this
Change

Machines that are not part of the ADS domain
will not receive the Default Domain Policy and
will not have their LM Compatibility Level set to
5. This includes home and laptop computers.

Machines located in an OU that is blocking the
Default Domain Policy will not have their LM
Compatibility Level set to 5.

Third-party operating system or application
IU Windows Authentication Update

The IU Windows Authentication Update
will configure your Windows 2000 (or
higher) computer to disable insecure LM
(LanManager) and NTLMv1 authentication
protocols

IUWare does use CAS for Authentication
Request a Testing OU

UITS Messaging has set up a test domain
(mssgtest.iu.edu) with both LM and
NTLMv1 protocols disabled

We strongly encourage you to leverage
this domain to test how your applications
and services will behave in an NTLMv2
only environment
Thank You!
Questions?
Conatact Info:
lsps@iu.edu
More Information:
https://lsps.iu.edu