Re: kerberos!

• Previous message: Paul Leach: "Re: kerberos!"
• Maybe in reply to: Besirevic, Nesha: "kerberos!"
• Next in thread: Jeffrey Altman: "Re: kerberos!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 13 Sep 2004 08:50:54 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Regarding all the mails regarding Kerberos and NTLM, I would like to add one
additional remark.

I see that one important feature is also missing in the Windows 2000/2003
environment: the ability to audit what type of authentication is used by the
clients.

Say I want to eliminate NTLM V1 & Lanmanager.
If I'm able to audit all the users that still use thes types of
authentication protocols (Win9x, Samba, NAS appliances), I can warn them and
take appropriate action before actually shutting down the protocol. However
at this moment I'm unable to see what type of logon-requests are still used
by the clients, so I'm unable to contact the persons and warn them before
actually upgrading the security policy.

So I would be nice to be able to audit which of the users/machines is still
using the Lanmanager or NTLM V1 authentication protocol to be able to safely
disable these protocols without causing a lot of problems the day you
disable them.

At this moment you can only audit who is using Kerberos and who is using
Lanmanager/NTLM V1/NTLM V2. The different levels of NTLM/Lanmanager cannot
be audited, so it is therefor impossible to see who is still using NTLMV1
and Lanmanager in a Windows 2000/2003 environment.

Regards,

Frank

_________________________________________________________________
MSN Zoeken, voor duidelijke zoekresultaten! http://search.msn.nl

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: Paul Leach: "Re: kerberos!"
• Maybe in reply to: Besirevic, Nesha: "kerberos!"
• Next in thread: Jeffrey Altman: "Re: kerberos!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Kerberos login on VMS ... >> So it looks like we currently have no secure single password systems from ... >> working with VMS and other OSs. ... Even Microsoft advise against using NTLM ... >Lanmanager protocol and a newer NT protocol. ... (comp.os.vms) Re: Kerberos login on VMS ... Even Microsoft advise against using NTLM ... Lanmanager protocol and a newer NT protocol. ... default both mechanisms are used in an interchange. ... What I don't know, is whether pathworks ... (comp.os.vms) NTLM API Authentication ... I'm totally novice when it comes to authentication protocols. ... Here is what is needed to be done: Create a web service which calls the NTLM ... API for authenticating the user. ... (microsoft.public.dotnet.framework.aspnet.webservices)