The Most Misunderstood Windows Security Setting of All Time Jesper Johansson Almost everyone who runs a network on Windows has heard of LetMeIn1 = LETMEIN + 1****** NTLM version 2 (NTLMv2) and the Key Key LMCompatibilityLevel setting that governs it. The setting first became available in Windows aad3b435b51404ee Constant NT 4.0 Service Pack 4 (SP4), and has been in DES DES every version of Windows based on Windows Encryption Encryption NT since then. LMCompatibilityLevel has been recommended in every security guide for Windows since 1998. LM Hash A few years ago I thought I really knew Concatenate how LMCompatibilityLevel worked. I was wrong. Then for a couple of years I thought Figure 1 LM Hash Generation I knew how it worked again. This has hap- pened a few times, and recently I found out characters and passwords up to 256 char- operation reduces the strength of the pass- that I still didn’t completely understand it. acters long. word by many orders of magnitude. This prompted me to finally go back to the The LM hash, originally invented for use Windows uses the LM OWF for the LM code, tear through it, and figure out what re- in LAN Manager over 20 years ago, is not authentication protocol and the NT OWF ally was going on. This article is about what I actually a hash at all (see Figure 1). A hash for everything else. One common miscon- found. Anyone who runs Windows probably is a mathematical function used to sum- ception is that the system stores a specific should understand this setting and how it marise or probabilistically identify data. NTLMv2 OWF. There is not even an NTLM impacts network security and stability. LM instead uses a cryptographic one-way OWF for the NTLM protocol. The NT OWF function (OWF). Instead of encrypting the is used for all other Windows authentica- Background password with some other key, the password tion protocols in one way or another. The Windows NT-based operating systems itself is the key. This is why you will some- two OWFs are used in the authentication up through and including Windows Server times see the LM hash referred to as the LM sequence as shown in Figure 2. 2003 store two password hashes, the LAN OWF. Conversely, the NT hash is typically Both the LM and NTLM protocols operate Manager (LM) hash and the Windows NT referred to as the NT OWF internally. essentially the same way; the only difference hash. Starting in Windows Vista, the capa- The algorithm introduces several weak- is the password hash. The actual challenge- bility to store both is there, but one is turned nesses that attackers can exploit. First, all response computation is fairly simple. The off by default. lowercase characters are set to uppercase, client requests authentication and the au- The NT hash is a straight MD4 hash of the reducing the number of possible charac- thentication server responds with an 8-byte plaintext password. It supports all Unicode ters. Second, it splits a long, strong, pass- challenge. The challenge is just a piece of word into two seven-character chunks. random data. The client encrypts the chal- Jesper Johansson, a senior security strategist in the Microsoft Se- Length has been shown to be the most im- lenge using the OWF as the key and returns curity Technology Unit and contributing editor for TechNet Magazine, focuses on how customers should best deploy Microsoft products portant factor in password strength by far the result as the response to the server. The more securely. He has a PhD in IS and has delivered speeches on (see microsoft.com/technet/community/columns/secmg- LM and NTLM responses are each always security at conferences all over the world. mt/sm1005.mspx for more on this topic). This 24 bytes long. The server has the NT OWF Prerelease info in this column is subject to change. TechNet Magazine October 2006 73 Network (www.protectyourwindowsnetwork.com), which covers the topic in much more detail. Client 1. Hey, I’d like to authenticate Server How NTLMv2 Works 2. OK, here is a challenge The NTLMv2 response is very different. 3. LM response = First, the client concatenates the user name DES(LM OWF[0-6], Challenge) + and the logon domain name and computes DES(LM OWF[7-13], Challenge) + DES((LM OWF[14-15]+5*NULL), an HMAC-MD5 message authentication Challenge) code of those using the NT OWF as a key. 4. NTLM Response = The result of this keyed hash is sometimes DES(NT OWF[0-6], Challenge) + referred to as the NTLMv2 OWF. The log- DES(NT OWF[7-13], Challenge) + DES((NT OWF[14-15]+5*NULL), on domain name is the account the client Challenge) is attempting to log on to. In the case where 5. Response = (LM Response, a workstation is trying to contact a system NTLM Response) that is not in the client’s domain, this would be the server name. Figure 2 LM and NTLM Response Computation The client then generates its own 8-byte challenge, which it puts into a blob that also and usually the LM OWF as well. It starts L0phtCrack password cracker from L0pht contains a timestamp, information on the by computing the NTLM response using Heavy Industries, later purchased by @Stake target the client is attempting to connect the same algorithm the client used, and and finally by Symantec, included a cracker to, and some other data. This blob is then then compares that to the client result. If against a captured LM authentication se- concatenated with the server challenge and the two match, they used the correct pass- quence, Microsoft implemented the new another HMAC-MD5 message authentica- word hash and—by an extension of logic NTLMv2 authentication protocol to defeat tion code is computed on this combined that is not always correct—had the correct L0phtCrack. (For a synopsis of the protocol challenge using the NTLMv2 OWF as the password, a successful logon results. If the and the attack that caused it to be created, key. The result of that computation is con- results do not match, the server computes see this Windows IT Pro article: windowsitpro.com/ catenated with the blob and returned as the LM response and checks if that matches Articles/Index.cfm?ArticleID=7072. Keep in mind, the NTLMv2 response buffer. The client what the client sent. If that fails too, the cli- however, that this article was published in also computes a response based only on the ent is denied access due to a bad username 1999 and is now fairly dated and not entirely NTLMv2 OWF, the server challenge, and the or password error. accurate in some respects.) client challenge. This response is called the NTLMv2 was developed in response to at- NTLMv2 is turned on using the LMCom- LM 2 Response and is returned in the LM tacks against the LM authentication protocol. patibilityLevel switch (known as some vari- response field along with the client chal- The LM protocol, as the name implies, was ant on “LAN Manager authentication level” lenge, as shown in Figure 5. originally used in the old LAN Manager net- in Group Policy). LMCompatibilityLevel The entire NTLMv2 response buffer is work operating system in the mid-1980s. It takes six different values, from 0 to 5. The not documented publicly, but many sourc- was developed for the security requirements levels are shown in Figures 3 and 4. es have inferred a lot about it. Essentially, of the day, which included mostly floppy- Admittedly, this is a brief introduction to it contains version information, room for based viruses, and hence was no match for Windows and passwords. Interested readers flags in a future implementation, room a late 90s-style cracking attack. When the should see chapter 11 in Protect Your Windows for a message from the client to the server Figure 3 Client-Side LMCompatibilityLevel Impact Level Group Policy Name Sends Accepts Prohibits Sending 0 Send LM and NTLM LM, NTLM LM, NTLM, NTLMv2 Responses NTLMv2 Session Security is negotiated NTLMv2 Session Security (on Windows 2000 below SRP1, Windows NT 4.0 and Windows 9x) 1 Send LM and NTLM— LM, NTLM LM, NTLM, NTLMv2 use NTLMv2 session NTLMv2 Session Security is negotiated NTLMv2 security if negotiated 2 Send NTLM response NTLM LM, NTLM, LM and NTLMv2 only NTLMv2 Session Security is negotiated NTLMv2 3 Send NTLMv2 NTLMv2 LM, NTLM, LM and NTLM response only Session Security is always used NTLMv2 74 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine Once again, I thought I knew exactly how Figure 4 Server-Side LMCompatibilityLevel Impact it worked, and I wrote another article on it. Level Group Policy Name Sends Accepts Prohibits Shortly after that, Seki Hidenobu wrote to Sending me, prodding about something he called 4 Send NTLMv2 response NTLMv2, Session NTLM, LM “NTLM2 Session Response”, a term he picked only/refuse LM security NTLMv2 up from Eric Glass. In fact, not only does 5 Send NTLMv2 response NTLMv2, Session NTLMv2 LM and the Ethereal network sniffer filters identify only/refuse LM and NTLM security NTLM NTLM2 Session Response, it has even been documented as part of the Samba (the UNIX (which is not used today), the timestamp, you set LMCompatibilityLevel to 1, it does implementation of SMB) documentation. In the client challenge, and some information not actually send NTLMv2 authentication. addition, Christopher R. Hertel’s book on the about the server and share name the client Then another epiphany hit me. The docu- Common Internet File System (CIFS—the is connecting to.