Home » Features » LAN Manager Authentication Level setting is not set to secure level

LAN Manager Authentication Level setting is not set to secure level

Key Points
Introduction: Explains why allowing LM or NTLM authentication increases the risk of credential compromise on the network due to weaker legacy protocols, and why enforcing NTLMv2-only is recommended as a Windows hardening step.
Quick setup: Shows how to detect the “LAN Manager authentication level is not set to accept only NTLMv2” misconfiguration in Vulnerability Manager Plus and provides the exact Group Policy path to set “Network security: LAN Manager authentication level” to “Send NTLMv2 response only. Refuse LM & NTLM” across managed endpoints.
Frequently Asked Questions: Covers practical questions about NTLMv2-only hardening, including what the policy controls, why attackers abuse LM/NTLM, the impact on legacy systems and apps, which Windows authentication flows are affected, how to verify the effective policy on endpoints, recommended companion “Network security” settings, and what to validate after enforcement.

Detect LAN Manager Authentication Level setting is not set to secure level and similar misconfigurations quickly.

Spot Now

Introduction

LAN Manager authentication (LM, NTLM, and NTLMv2) controls how Windows systems prove identity over the network when accessing resources such as file shares, printers, and domain services. Older methods like LM and NTLM were designed for backward compatibility, but they are significantly weaker than NTLMv2 and are more susceptible to credential theft and replay-style attacks.

If your environment does not require legacy authentication, enforcing NTLMv2 only is a recommended OS hardening step. It reduces the chance of attackers capturing or downgrading authentication traffic to weaker protocols, especially in mixed or older networks where legacy settings may still be enabled.

In enterprise environments, this setting should be applied consistently using Group Policy. Setting Network security: LAN Manager authentication level to “Send NTLMv2 response only. Refuse LM & NTLM” helps standardize authentication behavior across managed endpoints and minimizes exposure caused by legacy protocol fallback.

You can detect this misconfiguration (LAN Manager Authentication Level setting is not set to secure level (must be set to accept only NTLMv2 and refuse LM and NTLM)) using Vulnerability Manager Plus. This misconfiguration comes under the category of OS Security Hardening and has a Critical severity.

Quick Setup

To detect this misconfiguration:

  • Open the Vulnerability Manager Plus console and go to Threats---> System Misconfiguration, and you can see the detected misconfigurations list.
  • In the misconfiguration list, use the search box to type LAN and filter results to focus only on related findings.
  • Open the misconfiguration named LAN Manager Authentication Level setting is not set to secure level (must be set to accept only NTLMv2 and refuse LM and NTLM), confirm it matches the expected finding, and review the details to understand why it is flagged.
  • Check the affected endpoints list to identify which devices need a fix, then prioritize devices where the service is reachable and not required.
  • For each affected device, plan remediation to this misconfiguration and document the remediation goal.

To remediate the misconfiguration using Group Policy:

  • Open the Group Policy Management Console (GPMC) and edit the required GPO.
  • Navigate to Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.
  • Locate and open "Network security: LAN Manager authentication level".
  • Set the policy value to "Send NTLMv2 response only. Refuse LM & NTLM".
  • Click Apply and then OK to save the changes.

This remediation does not require reboot.

Potential Operational Impact: Legacy systems that do not support NTLMv2 authentication cannot authenticate in the domain and access domain resources by using LM and NTLM.

Scheduling reports keeps teams informed without needing to log in manually.

Refer to this page to know in detail more about misconfiguration hardening

Start your 30-day free trial and secure LAN Manager across your endpoints and stay protected.

Frequently Asked Questions

What does the LAN Manager authentication level setting control?

This policy controls which challenge-response authentication protocols Windows will send and accept when authenticating to network resources. It primarily affects LM, NTLM, and NTLMv2 behavior.

Why is “Send NTLMv2 response only. Refuse LM & NTLM” recommended?

NTLMv2 is stronger than LM and NTLM and reduces exposure to common credential attacks. Refusing LM/NTLM prevents endpoints from falling back to weaker protocols when connecting to older or misconfigured systems.

What are LM, NTLM, and NTLMv2?

LM is the oldest and weakest protocol. NTLM improved on LM but is still considered weaker than modern standards. NTLMv2 is the most secure of the three and is the recommended baseline when NTLM is required.

Will this setting disable Kerberos authentication?

No. In Active Directory environments, Kerberos is typically used by default for domain authentication. This policy mainly controls NTLM family behavior when NTLM is used (for example, legacy apps, workgroup scenarios, or certain fallback conditions).

What compatibility issues can occur after enforcing NTLMv2-only?

Older systems, legacy NAS devices, printers, or applications that only support LM/NTLM may fail to authenticate. If you still have such dependencies, upgrade/replace them or scope the policy carefully to avoid breaking required workflows.

Does this setting affect both inbound and outbound authentication?

Yes. It influences what the system will send when authenticating to other devices and what it will accept when others authenticate to it, depending on the selected policy option.

How can I verify the effective policy on an endpoint?

Confirm the applied GPO using Resultant Set of Policy (RSOP) or gpresult, and ensure the Security Options value for Network security: LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM & NTLM.

Do I need to reboot endpoints after changing this policy?

Often a reboot is not required, but it can depend on the environment and active sessions. After policy refresh, test access to key resources. If you see inconsistent behavior, rebooting the affected machine can help ensure the setting is fully applied.

How do I troubleshoot authentication failures after enabling NTLMv2-only?

Start by identifying which server/device is rejecting authentication and whether it supports NTLMv2. Check Windows security logs on the client and target system, review SMB/app logs if applicable, and test from a pilot group first to pinpoint legacy dependencies.

What should I do after enforcing this setting via GPO?

Roll out in phases (pilot then broader deployment), validate access to file shares, printers, and line-of-business apps, and document any exceptions. If legacy dependencies exist, plan remediation (upgrade, replacement, or restricted scope) to avoid re-enabling weaker protocols broadly.