My scenario is that I have a website set up via IIS in Windows Server 2012 R2 Standard using Windows Authentication which has been detected as vulnerable to an NTLMv1 attack and so I am looking to disable this and allow NTLMv2 only.
From my research on this topic and found a lot of helpful information such as "Anonymous Logon" vs "NTLM V1" What to disable? and https://markgamache.blogspot.co.nz/2013/01/ntlm-challenge-response-is-100-broken.html
From these links and others like them, the only answer that is typically given is to have a registry value under HKLM\SYSTEM\CurrentControlSet\Control\Lsa named LmCompatibilityLevel and adjust it. I have tried setting this to the value 5 which is Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.
However, when I do this it appears I am still able to connect to the website successfully using my Windows credentials from another server that I have set up to have LmCompatibilityLevel set to 0 which is supposed to only use/allow LM/NTLM.
The way I have detected that it is using NTLMv1 authentication is via the Windows Security Logs.
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
When I set the registry value to 3 or higher on the client server prior to connection, the Package Name value becomes NTLM V2.
I have also changed the Local and Group Security Policy Network security: LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM but I understand from my testing that these are essentially different interfaces for the same setting.
Has anyone experienced this or know if there's a different setting I'm missing that I need to change?