ACNS LM Compatibility Level Settings

Introduction

There are several authentication encryption schemes available to Windows machines for use when connecting to another Windows machine to use shared resources. ACNS configured its systems to only support the newer NTLMv2 encryption algorithm for LAN Manager style authentication. This means all connections to our servers need to use NTMLv2 to be able to access shared files and printers. Users at home who wish to access files on CSUNTS, may need to configure their systems to use NTLMv2 if this is not autonegotiated.

Background

Beginning with Windows 2000, the initial authentication when you logon to a domain uses Kerberos but many applications continue to use older encryption schemes and the operating system supports this. The other available encryption methods are LM, NTLM and NTLMv2. The older encryption methods are relatively easy to crack with modern equipment so security best practices recommend only using the more recent NTLMv2 encryption where LAN Manager authentication is required.

Configuring Your Computer for NTLMv2

Windows 2000 and XP users can make a single registry change to use NTLMv2 but Windows 9X/ME/NT systems also require the Directory Services Client (DSClient) installed. You can either configure your computer to use NTLMv2 exclusively or to always sent NTLMv2 but allow LM and NTLM incoming connections. If you share file or printer resources from your home system, you either need to allow LM and NTLM or configure other systems that may access your home computer to use NTLMv2 as well. Windows 9x/ME systems can only be configured to accept use NTLMv2 but accept LM. Windows 2000 and XP systems can be configured for either.

Windows 2000/XP Systems

You can either configure your Win2K/XP system to use NTLMv2 exclusively or send NTLMv2 and accept all authentication protocols. To configure your system, import the appropriate registry file:

Windows NT 4.0 Systems

You can either configure your NT 4.0 system to use NTLMv2 exclusively or send NTLMv2 and accept all authentication protocols. To configure your system, import the appropriate registry file and install the Directory Services Client:

Windows 9x/ME Systems

You can only control what protocols are used for outgoing connections on Windows 9x/ME clients. To configure your system, import the appropriate registry file and install the Directory Services Client: