View all Worklets
Windows

Change LAN Manager Authentication Level

Enhances LAN Manager Authentication Level to 5, allowing NLTMv2 responses only.

Worklet Details

Why would you use the Powershell Change LAN Manager Authentication Level Worklet?

This Worklet provides system administrators with an easy way to increase the security of their network by upgrading the LAN Manager authentication level from the default setting, which is 5. This can help protect your network from malicious actors who may attempt to gain access using legacy protocols such as LM or NTLMv1. By changing the authentication level to 5, you ensure that only NTLMv2 responses are accepted, which is more secure.

The Change LAN Manager Authentication Level Worklet helps system administrators quickly and easily upgrade the authentication level to 5 without having to manually modify registry settings or group policies. It also provides a way to quickly identify devices that do not support NTLMv2 authentication, allowing you to take corrective action if needed.

The Change LAN Manager Authentication Level Worklet also allows administrators to set the authentication level for specific domains and computers, which is useful in multi-domain environments where different levels of security may be required. This makes it easier to manage the security of your network while ensuring compliance with external standards and regulations. Additionally, administrators can use this worklet to enable or disable logging of authentication attempts, making it easier to audit the security of your network.

Finally, administrators can also use this worklet to set the minimum password age for specific users or groups, allowing them to ensure that their passwords are changed regularly and remain secure.

How does the Powershell Change LAN Manager Authentication Level Worklet work?

There is a Windows policy which determines what authentication protocol is used for networks logins/. This includes capabilities such as transparent file and print sharing, user security features, and network administration tools.

The LAN Manager authentication registry (LMCompatabilityLevel) determines which protocol responses are allowed to be sent and accepted, which includes LM, NLTM, and NLTMv2 variants.

By default, this script will set the authentication level to 5, which is the highest security and only allows for NLTMv2 responses. In order to change this to a lower setting, modify the $authenticationLevel variable in the remediation script.

What is LAN Manager Authentication?

In the world of network security, LAN Manager Authentication plays an important role in keeping your data and resources secure. Essentially, LAN Manager Authentication is the security protocol used to gain access to domain resources. By default, it uses NTLM authentication which has some security vulnerabilities that could be exploited by hackers. To address this issue, it's recommended that you change your LAN Manager Authentication level to increase security.

This is done by adjusting your security settings to use NTLMv2 session security which is a more secure version of NTLM. Keep in mind that LAN Manager Authentication includes LM, which is a weaker authentication protocol that should be avoided whenever possible. With proper security LAN Manager Authentication settings, your domain controllers will only accept NTLMv2 authentication which ensures better protection of your network.

View in app

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklet automation scripts perform configuration, remediation, and the installation or removal of applications and settings across Windows, macOS, and Linux.

do more with worklets