Microsoft在Windows NT中包含^{(Windows NT)}NTML 或 NT LAN 管理器协议^{(NT LAN Manager Protocol)}用于基本身份验证目的，并尝试通过引入Kerberos 身份验证^{(Kerberos authentication)}来增强其安全性。但是，NTML 协议^{(NTML Protocol)}仍在Windows 域网络^{(Windows Domain Networks)}中使用。在本文中，我们将了解如何在Windows 域中禁用^{(Windows Domain)}NTML 身份验证^{(NTML Authentication)}。

在Windows 域中^{(Windows Domain)}禁用NTML 身份验证^{(NTML Authentication)}

您可能希望在Windows 域中禁用^{(Windows Domain)}NTML 身份验证^{(NTML Authentication)}的原因可能有多种。一些最常见的原因是：

1. NTML不安全并且提供弱加密。
2. 在NTML的情况下，您的密码哈希将存储在LSA 服务^{(LSA Service)}中。它可以很容易地被攻击者提取。
3. 它容易受到 数据拦截攻击^{(Data Interception attacks)}，因为客户端和服务器之间缺乏相互身份验证。

了解了禁用NTML Authentication的原因后，我们来看看禁用它的原因。

这些是我们将在Windows 域中禁用^{(Windows Domain)}NTML 身份验证^{(NTML Authentication)}的方法。

1. 由本地组策略编辑器
2. 通过注册表编辑器

让我们详细谈谈它们。

1]由组策略编辑器

在禁用NTML之前，我们需要确保您没有使用其最不受保护的协议，即；NTMLv1或NTML 版本 1^{(NTML Version 1)}。这会使您的域容易受到攻击者的攻击。完成后，请按照以下方法通过组策略编辑器^{(Group Policy Editor)}在Windows 域中禁用^{(Windows Domain)}NTML 身份验证^{(NTML Authentication)}。

为此，请从开始^(Start)菜单中打开本地组策略编辑器 。^{(Local Group Policy Editor )}前往以下位置。

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

现在，双击 网络安全：LAN Manager 身份验证级别。 ^{(Network Security: LAN Manager authentication level. )}选择 仅发送 NTMLv2 响应。^{(Sent NTMLv2 response only. Refuse LM & NTML )}从“本地安全设置”选项卡中拒绝 LM 和 NTML  。

单击 Apply > Ok ，您的域上将禁用NTML身份验证。^(NTML)

2]通过注册表编辑器

如果您没有组策略编辑器^{(Group Policy Editor)}，您可以从注册表编辑器^{(Registry Editor)}中禁用NTML。借助一些简单的解决方案，您可以轻松做到这一点。

从开始菜单^{(Start Menu)}启动 注册表编辑器 ^{(Registry Editor )}并导航到以下位置。

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa

现在，右键单击 Lsa 并选择 New > DWORD (32-bit) Value. 将其命名为“ LmCompatibilityLevel ”并将 值数据 ^{(Value data )}设置为 5。5因为它对应于“仅发送NTMLv2 ^(5. )响应。拒绝 LM 和 NTML”。^{(Sent NTMLv2 response only. Refuse LM & NTML”.)}

这样您就可以通过注册表编辑器禁用^{(Registry Editor)}NTML。

阅读下一篇：^{(Read Next: )}为什么以及如何在 Windows 10 上禁用 SMBI

How to Disable NTLM Authentication in Windows Domain

Microsoft includes NTML or NT LAN Manager Protocol in Windows NT for basic authentication purposes – and has tried enhancing its security by introducing Kerberos authentication. However, NTML Protocol is still used in Windows Domain Networks. In this article, we are going to see how to disable NTML Authentication in Windows Domain.

Disable NTML Authentication in Windows Domain

There can be multiple reasons why you may want to disable NTML Authentication in Windows Domain. Some of the most common reasons are:

1. NTML is not secure and offers weak encryption.
2. In the case of NTML, your password hash will be stored in LSA Service. It can be easily extracted by an attacker.
3. It is vulnerable to Data Interception attacks as there is a lack of mutual authentication between the client and the server.

After knowing the reasons to disable NTML Authentication, let’s see the reasons to disable it.

These are the ways by which we are going to disable NTML Authentication in Windows Domain.

1. By Local Group Policy Editor
2. By Registry Editor

Let us talk about them in detail.

1] By Group Policy Editor

Before disabling NTML, we need to make sure that you are not using its most unprotected protocol i.e; NTMLv1 or NTML Version 1. This can make your domain vulnerable to attackers. Once you are done with that, follow the following method to disable NTML Authentication in Windows Domain by Group Policy Editor.

To do that, open Local Group Policy Editor from the Start menu. Go to the following location.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Now, double-click on Network Security: LAN Manager authentication level. Select Sent NTMLv2 response only. Refuse LM & NTML from the “Local Security Settings” tab.

Click Apply > Ok and NTML authentication will be disabled on your domain.

2] By Registry Editor

If you don’t have Group Policy Editor, you can disable NTML from the Registry Editor. You can easily do that, with the help of some simple solutions.

Launch Registry Editor from the Start Menu and navigate to the following location.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa

Now, right-click on Lsa and select New > DWORD (32-bit) Value. Name it “LmCompatibilityLevel” and set Value data to 5. 5 because it corresponds to “Sent NTMLv2 response only. Refuse LM & NTML”.

This way you will be able to disable NTML by Registry Editor.

Read Next: Why and How to disable SMBI on Windows 10

Related posts

• 如何在Windows 10中更改LAN Manager Authentication Level

• 如何在Windows 10使用Network Sniffer Tool PktMon.exe

• 启用Network Connections而在Modern Standby上Windows 10

• 在Windows 11上启用或禁用Wi-Fi和Ethernet adapter

• 如何在地图上Network Drive或Windows 11/10添加FTP Drive

• 如何在Windows 10上使用Group Policy映射Network Drive

• Make Network文件Always Available Offline上Windows 10

• 通过PowerShell解决Windows Server Network connectivity问题问题

• Fix Slow access给network drive从Windows 10

• Windows无法从Windows 10中的路由器获取Network Settings

• 在Windows 10中无法在我的网络上看到其他计算机

• Ping Transmit Windows 10中的General failure错误

• 为什么我的ping Time在Windows 11/10中如此之高？

• 如何在Windows 10中创建Network股票

• Windows 10免费IP scanner Advanced IP Scanner

• FIX：WiFi or Network Icon Windows 11/10上的Red Cross X

• 如何在Windows 10中设置静态IP Address

• 如何清除Windows 11/10中的ARP Cache

• 如何修复DHCP Lookup故障error om Windows & Chromebooks

• 如何重置Winsock在Windows 10