RE: NTLM

From: Rocky Stefano (rstefano@echelonsystems.com)
Date: 10/02/01


From: "Rocky Stefano" <rstefano@echelonsystems.com>
To: "Focus on MicroSoft" <focus-ms@securityfocus.com>
Subject: RE: NTLM
Date: Tue, 2 Oct 2001 10:54:17 -0400
Message-ID: <OFEPIIBCPHNHOMCPOOPDKEGHEBAA.rstefano@echelonsystems.com>


NTLMv2 is what you should use in a mixed W2K/NT4 domain. If all your clients
are W2K you should use Kerberos authentication which is native in W2K. One
caveat to this is RAS. Even if you are running a native W2K forest/domain
and are using Kerboros anyone using RAS to dialin still has to use NTVLM to
authenticate. PSS has said it will stay like this for AWHILE

-----Original Message-----
From: Kevin and Laura Brown [mailto:2brownfox@home.com]
Sent: October 1, 2001 10:05 PM
To: Focus on MicroSoft
Subject: NTLM

What are the security implications of using NTLM? Is NTLM encrypted? What
are the alternatives in a Win2K environment (meaning native to the OS. I'm
not interested in solutions like smart cards for my current needs)? What
are the pros and cons of using NTLM vs other Win2K authentication schemes?

Basically, I'm trying to determine if NTLM is the best course of action for
securing remote user authentication in a Win2K LAN for services such as
telnet. Also, which services can use NTLM? I know this is a lot of
questions, and I plan on reading the technet site for a better understanding
of how it works, but I wanted to get some professional opinions on its
effectiveness.

Thanks in advance,
Brownfox



Relevant Pages

  • RE: ADS Password Storage Protection
    ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ...
    (Security-Basics)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: HttpWebRequest over Https Via Proxy Fails using NTLM
    ... The proxy authentication header returns Basic, NTLM, and Negotiate. ... A network trace shows that the https request handshake is as follows: ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Event log shows NTLM not Kerberos
    ... it needs those SIDs, which is what authentication gives. ... Authentication Package: NTLM ... Authentication Package NTLM not Kerberos? ...
    (microsoft.public.security)
  • Re: Outlook 2000 issue with EXCH 2003
    ... It is related to DNS, the GC utilize DNS to find NTLM ... we have tested outlook 2k3 with NTLM only ... the LAN MAN authentication set to ...
    (microsoft.public.exchange.admin)