How can you defend against Net-NTLMv1 downgrade attacks?

Since Windows Vista/Server 2008, Net‑NTLMv2 is the default and is significantly more secure. To prevent downgrade to Net‑NTLMv1, ensure that the `lmcompatibilitylevel` registry key is set to at least 2 (or higher) and that clients do not allow older LM/NTLMv1 authentication. Additionally, limit administrative privileges on endpoints because enabling Net‑NTLMv1 requires admin rights. For further protection, consider disabling NTLM altogether or using Kerberos where possible. Related defense strategies are also discussed in intranet security articles.