While writing a blog post on NTLMv1 and Windows Server 2025, I was reminded of an old, well-known, yet persistently misunderstood issue: improperly set LAN Manager authentication levels. This authentication setting specifies the challenge-and-response protocol that is used for network logons when Kerberos is not negotiated.
Why using authentication level 2 (or lower) is a bad idea
One of the most common misconfigurations I encounter in Active Directory environments is a LAN Manager authentication level set to 2 or lower on domain controllers (DCs). This authentication can be set in one of two ways:
- Via Group Policy:
Network security: LAN Manager authentication level - Directly through the registry key:
HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
The reasoning for setting authentication to 2 is almost always the same: “We have legacy applications that authenticate using NTLMv1, and we can’t risk breaking them.”
That logic is understandable. But it leads to a subtle and critical mistake.
What’s the difference between LAN Manager authentication levels 2 and 3?
The LAN Manager authentication level setting controls both incoming and outgoing authentication behavior—and those are not the same thing.
Setting the level to 2 means that:
- The DC accepts incoming NTLMv1 authentication.
- The DC also uses NTLMv1 to initiate outgoing connections.
That second point creates a vulnerability.
By contrast, setting the level to 3 means that:
- The DC still accepts NTLMv1 inbound (so legacy clients continue to work).
- The DC is prevented from sending NTLMv1 outbound connections.
In other words, using level 3 preserves compatibility while eliminating a significant attack surface.
Why outgoing NTLMv1 from a DC is dangerous
DCs are high-value targets. If an attacker can coerce a DC into making an outbound authentication attempt (through techniques such as PrinterBug, DFSCoerce, PetitPotam, or similar coercion methods), and if that authentication uses NTLMv1, the captured response is dramatically weaker than one that uses NTLMv2.
NTLMv1 responses can often be cracked quickly using modern hardware or precomputed tables. As a result, an attacker can obtain the NT hash of the password of the computer account.
But it doesn’t stop there….and this is where the difference becomes truly critical.
Attackers do not even need the NT hash.
Instead, they can relay the coerced NTLMv1 authentication directly to another DC on which LDAPS channel binding is not enforced (another alarmingly common misconfiguration). By relaying the DC’s machine account authentication over LDAP, the attacker
can perform one of two devastating attacks:
Both paths lead to the same outcome: full control over the DC. From initial coercion to complete domain compromise can take less than a minute.
No hash cracking needed. No elevated privileges required to start. Just an NTLMv1-capable DC and missing LDAP channel binding enforcement.
The practical takeaway
If your reason for staying at LAN Manager authentication level 2 (or lower) is legacy application compatibility, you can move to level 3 today without breaking those applications.
You might want to reserve levels 4 and 5 for when you are ready to fully deprecate LM and NTLMv1 in your environment, as those levels begin refusing inbound NTLMv1 authentication. (Note: In Windows Server 2025, outgoing connections using LM and NTLMv1 are no longer allowed.)
Keep this progression in mind:
- Level 2: The DC accepts inbound LM and NTLMv1 authentication and sends NTLMv1 outbound. Legacy apps work, but DCs are exposed.
- Level 3: The DC accepts inbound LM and NTLMv1 authentication but will not send NTLMv1 outbound. Legacy apps still work, and your DCs are protected.
- Level 4: The DC sends NTLMv2 outbound, refuses inbound LM, but still accepts inbound NTLMv1. It’s compatible with most applications and protects your DCs.
- Level 5: The DC refuses all inbound and outbound LM and NTLMv1 authentication entirely. This level provides full hardening, but legacy apps break.
If you are managing DCs in an environment with legacy authentication requirements, Level 3 should be your minimum baseline. Setting your LAN Manager authentication level to level 3 is a low-risk, high-benefit change that is often overlooked because misconceptions about compatibility run so deep.
