Skip Over Navigation Links
Interface Online Center for Information Technology (CIT)
space

Summer/Fall 2010 [Number 247]     Printable Version Printable version (528KB PDF)     Download Adobe Reader

Index

Previous

Next

CIT Retires NTLM Version 1

To enhance computer and networking security for all of NIH, CIT is retiring the authentication protocol Windows NT LAN Manager version 1 (NTLM v.1) at the enterprise level. NTLM version 2 has superseded version 1, and upgrading to the newer version ensures that our authentication services to NIH remain up-to-date and in compliance with security standards.

What is NTLM?

NTLM is an authentication protocol that CIT provides to NIH as part of our Active Directory (AD) Infrastructure Services. These services are important to all NIH computer users because your access to NIH applications and networks services relies on the AD's management of user accounts, computers, and other IT resources.

As an AD authentication protocol, NTLM provides a challenge-response authentication mechanism, in which clients are able to send their identities without sending a password to the server.

What will change?

Once version 1 has been retired, domain controllers will refuse LM and NTLM v.1 responses and accept only NTLM v.2 responses. Clients will use NTLM v.2 authentication, and should use NTLM v.2 session security if the server supports it.

Upgrading from NTLM version 1 to version 2 offers several benefits for users:

    Enhanced authentication security levels.

    Compliance with NIST security guidelines, SAS-70, and OIG audits.

    Better preparedness for using the Kerberos authentication protocol for cross-platform authentication and Single Sign On technologies.

    Improved integration of authentication and authorization mechanisms for CIT customers' enterprise applications.

Retirement timeline

The NIH Architecture Review Board (ARB), the NIH Information Technology Management Committee (ITMC), and the Chief Information Security Officer (CISO) initially approved the retirement of NTLM v.1 in 2006.

A full shutdown of NTLM v.1 was scheduled to occur in 2007, however some ICs were not able to update their systems and applications to support NTLM v.2 in time. To ensure a smooth process for the entire NIH community, we extended the testing and implementation schedule for the retirement project into this year.

DCSS has been conducting testing to ensure that all ICs are ready for the version 1 retirement. Full implementation of the NTLM v.1 retirement is currently set for the end of October.

Questions?

If you have questions about the NTLM v.1 retirement and its potential impact on you, please contact the NIH IT Service Desk online at http://itservicedesk.nih.gov or by phone at 301-496-4357 (6-HELP) (local), 866-319-4357 (toll free), or 301-496-8294 (TTY), and the Service Desk personnel will direct you to the proper contact.

Back to top of page
 
blank
Published by Center for Information Technology, National Institutes of Health
Accessibility | Disclaimers | Privacy Policy | FOIA | Office of Inspector General
 
CIT logo  NIH logo   HHS logo  USA Gov logo
NIH...Turning Discovery into Health