Stop leaving the front door unlocked with a giant “Welcome Attackers” sign on it. NTLMv1 and LM hashes are laughably easy to crack. If your domain controllers or workstations still accept them, you’re practically inviting credential theft. I’ve seen environments get popped because of this simple miss.
This isn’t rocket science; it’s basic hardening hygiene. NTLMv2 is stronger, more secure. Force it. Reject the old, weak protocols that give adversaries a free pass with tools like Responder or a quick dictionary attack. It’s a low-effort, high-impact fix.
To implement this on your Windows Servers, it’s a simple PowerShell command. Set the LmCompatibilityLevel to 5. This mandates NTLMv2, refusing those antique LM and NTLMv1 responses.
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa” -Name “LmCompatibilityLevel” -Value 5
Don’t debate it. Just do it.
The fix
# GPO: Computer Configuration → Policies → Windows Settings →
# Security Settings → Local Policies → Security Options
# "Network security: LAN Manager authentication level"
# → "Send NTLMv2 response only. Refuse LM & NTLM"
# Registry:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5
Reference: CIS Windows Server Benchmark 2.3.11.7