Re: net use and LM / NTLM
From: Mike Coppins (mike@legolas.com)Date: 04/13/02
- Previous message: Charley Hamilton: "Anyone familiar with bitvise's winsshd?"
- In reply to: Laura A. Robinson: "Re: net use and LM / NTLM"
- Next in thread: Alicia Laing: "authentication NTLM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Apr 2002 01:52:29 +0100 To: focus-ms@securityfocus.com From: Mike Coppins <mike@legolas.com>
At 12/04/2002 14:35, Laura A. Robinson wrote:
> > At 11/04/2002 17:47, Laura A. Robinson wrote:
> > >It depends on several things-
> > >
> > >First, is it a "net use" to a name, an IP or a GUID?
> > >Second, what service pack revision is the NT4 server on in the second
> > >scenario?
> > >
> > >Net use to IP, even in a pure Windows 2000 environment, uses NTLMv2.
> > >Other net use is Kerberos in a pure Win2K environment.
> > >NT4 SP4+ with Win2k is NTLMv2.
> >
> > Win2k and NT4 (SP4+), will both talk LanMan (LM) authentication unless
> > otherwise specified. I know this from experience. For example, two Win2k
> > machines on the same network, one of which has an LSA registry setting
>that
> > says "reject NTLM and LM authentication, accept only LM". You get a
> > machine that is a default install of Win2k to try and connect to it, no
> > chance. You'll get "account doesn't exist" in the event log, in true
>win2k
> > "report any old error" style. Switch off the "reject NTLM/LM" setting,
>and
> > it works fine.
>
>Hmm. This doesn't jibe with what I just tested. I have one Win2K box which
>is set to "Send NTLMv2 response only\refuse LM&NTLM", and another Win2K box
>which is set to the default "Send LM & NTLM responses" sitting on the other
>side of the room. No issues whatsoever connecting. Of course, that's because
>Kerberos authentication is used between Windows 2000 machines in a Windows
>2000 AD environment except for those odd exceptions like the ones I
>mentioned.
The exception (straight to IP) you mentioned would make sense in a
Microsoft-twisted point of view, however it entirely negates the point of
deploying kerberos.
The test I performed involved neither machine being on AD, so it
illustrates the point better from the original question asked (what form of
Windows networking authentication is used in x scenario).
>Now, if you have a Win2K box that is set to refuse downlevel authentication
>*and* an NT 4 box that isn't configured to use NTLMv2, that's a different
>story.
But that's illustrating to people who don't have a well-grounded
understanding of Windows networking/file sharing authentication methods,
which, to be honest, are a pain to get to grips with from square one,
especially if you're troubleshooting :)
>As far as the part about NT4 not using NTLM by default, from:
>
>http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869
>
><snip> No domain controller configuration is required to
>support NTLM 2; the only time domain controllers need to be configured is to
>disable support for NTLM 1 or LM authentication."
I dispute this from that article. Any machine on the network is
essentially acting as a server (from a service service point of view, where
authentication levels actually matter), and so DCs are going to matter as
much as any other machine (except of course if your DC can't talk the same
authentication as your nodes, then you have a problem :-))
>and
>
>"LMCompatibilityLevel - Clients IMPORTANT : For an SP4 client to choose
>level 3 or greater, the domain controllers for the user's account domains
>for all users who will use the client (hereafter, "the users' domain
>controllers") MUST have been upgraded to SP4.
>
>If an SP4 client chooses level 0, which is the default, it will interoperate
>with earlier servers exactly as it did with Service Pack 3 (SP3).
>
>If an SP4 client chooses level 1, it will interoperate with earlier servers
>exactly as it did at Service Pack 3 (SP3). In addition, it will negotiate
>NTLMv2 session security with SP4 servers."
>
>If you go to a Windows 2000 client and look at HKLM\System\CCS\Control\LSA,
>you'll see that the default setting for authentication is, indeed, "0",
>which would allow it to use LM and NTLM authentication, so you're correct on
>that default. I guess I have a tendency to assume non-default settings,
>sorry about that. :-)
I was trying to guide peeps from a default setting point of view :) While
making absolutely sure that LM isn't being employed is a real priority, and
once you know the rules, you generally wouldn't dream of running these
settings at their defaults :)
> > Win2k has issues with authentication (between LM/NTLM/NTLMv2 and
> > kerberos).
>
>What issues, aside from those I mentioned (I know of a couple others, but
>I'm curious as to the ones you reference)?
I've referenced them again in this post, being that in certain scenarios
(direct to IP, direct to name and not necessarily including the DC in on
the transaction), kerberos won't be used. Therefore negating the point of
using kerberos, being that you're not using weak methods for transmitting
passwords.
I'm not 100% sure on this next bit however, but I'm sure I've seen net use
methods to the DC on an AD domain being done in NTLM and not kerberos.
I've not included the rest of your reply, because we're kind of going full
circle and answered each others' questions :) (I think, but it's 2am here
and I really shouldn't be answering email :-))
-- Mike Coppins mike@legolas.com http://www.legolas.com/ Currently looking for work: http://www.legolas.com/mikes/cv.html
- Previous message: Charley Hamilton: "Anyone familiar with bitvise's winsshd?"
- In reply to: Laura A. Robinson: "Re: net use and LM / NTLM"
- Next in thread: Alicia Laing: "authentication NTLM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
