LM Hashes, NTLM and Kerberos.

Posted on 2008-11-03
Last Modified: 2013-12-04
I need to understand a couple of things with regards to the LM Hashes, NTLM and Kerberos. In windows 2000 server, do you set up kerberos or is it there by default? Just works even without any configuration? Where then does the vulnerability of LM Hashes and NTLM come in if windows 2000 server uses kerberos? Im lost. Please refer me to some site or please explain.
Question by:yolunga2000
    LVL 31

    Accepted Solution


    Kerberos is default authentication mechanism since 2000 for clients which support Kerberos authentication. If client does not support Kerberos authentication (Windows 9x/Me, NT 4.), server will fall back to NTLMv2, NTLMv1 or even LM hashes. If anything on your network prevents Kerberos from working, even clients which support Kerberos authentication will use older authentication mechansims. Behaviour of your domain controllers is defined in Default Domain Controllers Policy:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

    LAN Manager authentication level should be configured to refuse LM and NTLMv1, but this might prevent older system from authenticating.

    More info:



    LVL 38

    Assisted Solution

    by:Rich Rumble
    Kerberos is only the default for sign-on, all share/printer/IIS access auth is LM/NTLM!
    Even with vista still defaults to lm/ntlm.  It's sad really... from the link above: Default: Send LM & NTLM responses.
    This is a pretty good article about lm/ntlm/ntlmv2, but is incorrect about vista's behaviour with LM/NTLMv1

    This article tries to explain Kerberos.

    If you really want to see what is being sent in/out for yourself, grab a copy of Cain&Abel from and turn on the sniffer. The M$ articles seem to portray kerbeos being used all over, but it's really not...

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Host Profile issue on Esxi 5.5 U3a 6 403
    Microsoft CA 2012 R2 with 2008 R2 Issuing CA 3 43
    Was laptop hacked? 11 75
    security question 7 56
    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now