NTLM version in packet

Howdy,
I am trying to make sure that my DC's are authenticating with NTLMv2. I am filtering packets on my workstation and found what looks like an auth packet with one of my DC's. The packet is marked "NTLMSSP_AUTH".

In looking at the flags in the packet, I see the following lines as "set":

Negotiate 56: Set
Negotiate 128: Set
Negotiate NTLM2 key: Set
Negotiate NTLM key: Set

There are a few others but I don't think they matter. It looks to me like the machine is authenticating using either NTLM or NTLM2. I know the reg setting on the DC's and workstations for the compatibility level is 0 so it could auth as LM if it wanted to (thats what I am trying to change). Does anyone know if there is a way to determine what it is using for sure?

Thanks!!

 

Anyone know a good packet forum? This is driving me crazy. Especially when all of MS's docs refer to NT and below but the registry settings still exist and, I assume, are still relevant in XP,2k, and 2k3.

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q239869

Here's the part that probably is of interest to you:

<snip>
Note For Windows NT 4.0 and Windows 2000 the registry key is LMCompatibilityLevel, and for Windows 95 and Windows 98-based computers, the registery key is LMCompatibility.

For reference, the full range of values for the LMCompatibilityLevel value that are supported by Windows NT 4.0 and Windows 2000 include:
• Level 0 - Send LM and NTLM response; never use NTLM 2 session security. Clients use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication.
• Level 1 - Use NTLM 2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
• Level 2 - Send NTLM response only. Clients use only NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
• Level 3 - Send NTLM 2 response only. Clients use NTLM 2 authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
• Level 4 - Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers refuse LM authentication (that is, they accept NTLM and NTLM 2).
• Level 5 - Domain controllers refuse LM and NTLM responses (accept only NTLM 2). Clients use NTLM 2 authentication, use NTLM 2 session security if the server supports it; domain controllers refuse NTLM and LM authentication (they accept only NTLM 2).
<snip>

Regards,

dj

 

Thanks for the reply.

I have played with those settings before, and they are in fact set (even though I am using XP/2k/2k3 and the article doesn't really mention them). I am trying to verify that I am in fact only using NTLMv2. I can set the settings but how do I know if I am actually not using LM... I can't figure out how to tell.