How to Enable NTLM 2 Authentication for Windows 95/98 Clients

ID: Q239869

The information in this article applies to:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows NT Server versions 4.0 SP4, 4.0 SP5
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

Historically, Windows NT supports two variants of challenge/response authentication for network logons:

LAN Manager (LM) challenge/response

Windows NT challenge/response (also known as NTLM version 1 challenge/response)

The LM variant allows interoperability with the installed base of Windows 95 clients and servers. NTLM provides improved security for connections between Windows NT clients and servers. Windows NT also supports the NTLM session security mechanism that provides for message confidentiality (encryption) and integrity (signing).

Recent improvements in computer hardware and software algorithms have made these protocols vulnerable to widely published attacks for obtaining user passwords. In its ongoing efforts to deliver more secure products to its customers, Microsoft has developed an enhancement, called NTLM version 2, that significantly improves both the authentication and session security mechanisms. NTLM 2 has been available for Windows NT 4.0 since Service Pack 4 (SP4) was released, and it is supported natively in Windows 2000. You can add NTLM 2 support to Windows 95 and Windows 98 by installing the Directory Services Client from the Windows 2000 CD-ROM.

After you upgrade all Windows 95/98 and Windows NT 4.0 computers, you can greatly improve your organization's security by configuring clients, servers, and domain controllers to use only NTLM 2 (not LM or NTLM).

MORE INFORMATION

The Directory Services Client is included on the Windows 2000 CD-ROM as Clients\Win9x\Dsclient.exe. When you run Dsclient.exe is run on a Windows 95/98 computer, the system files that provide NTLM 2 support are automatically installed as well. These files are Secur32.dll, Msnp32.dll, Vredir.vxd, and Vnetsup.vxd. If you uninstall Dsclient, the NTLM 2 system files are not removed because they provide both enhanced security functionality and security-related fixes.

By default, NTLM 2 session security encryption is restricted to a maximum key length of 56 bits. Optional support for 128-bit keys is automatically installed if the system satisfies United States export regulations. To enable 128-bit NTLM 2 session security support, you must first install Microsoft Internet Explorer 4.x or 5 and upgrade to 128-bit secure connection support before you install the Directory Services Client.

To verify your installation version:

Locate the Secur32.dll file in the %SystemRoot%\System folder using Windows Explorer.

Right-click the file, and then click Properties.

Click the Version tab.

The description for the 56-bit version is "Microsoft Win32 Security Services (Export Version)." The description for the 128-bit version is "Microsoft Win32 Security Services (US and Canada Only)."

When you first install the NTLM 2 support files, they are configured to use only LM authentication for backward compatibility with existing servers and domain controllers. Before you enable NTLM 2 authentication for Windows 95/98 clients, verify that all domain controllers for users who log on to your network from these clients are running Windows NT 4.0 service Pack 4 (SP4) or later. (Or, Service Pack 6 if the client and server are joined to different domains.) No domain controller configuration is required to support NTLM 2; the only time domain controllers need to be configured is to disable support for NTLM 1 or LM authentication.

For additional information a detailed discussion of the differences between these protocol variants and the importance of upgrading to use only NTLM 2, click the article number below to view the article in the Microsoft Knowledge Base:

Q147706 How to Disable LM Authentication on Windows NT

Enabling NTLM 2 for Windows 95/98 Clients

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

To enable a Windows 95/98 client for NTLM 2 authentication, install the Directory Services Client. To activate NTLM 2 on the client, follow these steps:

Start Registry Editor (Regedit.exe).

Locate the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA

On the Edit menu, click Add Value, and then add the following registry value:

Value Name: LMCompatibilityLevel
Data Type: REG_DWORD
Value: 3
Valid Range: 0-5
Description: This parameter specifies the mode of authentication and session security to be used for network logons. It does not affect interactive logons.

Level 0 - Send LM and NTLM response; never use NTLM 2 session security. Clients will use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication.

Level 3 - Send NTLM 2 response only. Clients will use NTLM 2 authentication and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.

Quit Registry Editor.

You can make the registry changes required to configure NTLM 2 support more easily by using the two .reg files located in the Clients\Win9x folder on the Windows 2000 CD-ROM. The regedit.exe lmcl3.reg command sets the LMCompatibilityLevel value to Level 3. You can use the Lmcl0.reg file to set it back to Level 0, if necessary.

For reference, the full range of values for the LMCompatibilityLevel value that are supported by Windows NT 4.0 and Windows 2000 include:

Level 0 - Send LM and NTLM response; never use NTLM 2 session security. Clients use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication.

Level 1 - Use NTLM 2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.

Level 2 - Send NTLM response only. Clients use only NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.

Level 3 - Send NTLM 2 response only. Clients use NTLM 2 authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.

Level 4 - Domain controllers refuse LM responses. Clients use NTLM 2 authentication, and use NTLM 2 session security if the server supports it; domain controllers refuse LM authentication (that is, they accept NTLM and NTLM 2).

Level 5 - Domain controllers refuse LM and NTLM responses (accept only NTLM 2). Clients use NTLM 2 authentication, use NTLM 2 session security if the server supports it; domain controllers refuse NTLM and LM authentication (they accept only NTLM 2).

You can configure the minimum security that is used for programs that use the NTLM Security Support Provider (SSP) by modifying the following registry key. These values are dependent on the LMCompatibilityLevel value:

Start Registry Editor (Regedit.exe).

Locate the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\MSV1_0

On the Edit menu, click Add Value, and then add the following registry value:

Value Name: NtlmMinClientSec
Data Type: REG_WORD
Value: one of the values below:

0x00000010- Message integrity
0x00000020- Message confidentiality
0x00080000- NTLM 2 session security
0x20000000- 128-bit encryption
0x80000000- 56-bit encryption

Quit Registry Editor.

If a client/server program uses the NTLM SSP (or uses secure Remote Procedure Call [RPC], which uses the NTLM SSP) to provide session security for a connection, the type of session security to use is determined as follows:

The client requests any or all the following items: message integrity, message confidentiality, NTLM 2 session security, and 128-bit or 56-bit encryption.

The server responds, indicating which items of the requested set it wants.

The resulting set is said to have been "negotiated."

You can use the NtlmMinClientSec value to cause client/server connections to either negotiate a given quality of session security or not to succeed. However, you should note the following items:

If you use 0x00000010 for the NtlmMinClientSec value, the connection does not succeed if message integrity is not negotiated.

If you use 0x00000020 for the NtlmMinClientSec value, the connection does not succeed if message confidentiality is not negotiated.

If you use 0x00080000 for the NtlmMinClientSec value, the connection does not succeed if NTLM 2 session security is not negotiated.

If you use 0x20000000 for the NtlmMinClientSec value, the connection does not succeed if message confidentiality is in use but 128-bit encryption is not negotiated.

Additional query words: ntlmv2

Keywords : kbenv ntsecurity
Version : WINDOWS:2000,95; winnt:4.0 SP4,4.0 SP5
Platform : WINDOWS winnt
Issue type : kbhowto