RE: Basic question
From: Depp, Dennis M. (deppdm_at_ornl.gov)
Date: 03/11/05
- Previous message: dave kleiman: "RE: Basic question"
- Maybe in reply to: Roman L. Daszczyszak II: "Basic question"
- Next in thread: Laura A. Robinson: "RE: Basic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Mar 2005 08:26:34 -0500 To: "Roman L. Daszczyszak II" <romandas@gmail.com>, focus-ms@securityfocus.com
Roman,
I don't have reference and I am doing this from memory so it may not be
100% correct. I don't remember much about LanMan. NTLM used two 7
character hashes that were trivially encrypted. Each was encrypted
separately and could be decrypted separately. NTLMv2 improved on the
encryption used and removed the 7 character limits on the encryption.
Kerberos is the latest encryption used by Microsoft. With Kerberos, the
password is never sent across the wire. Instead a ticket is granted to
the user to allow the user to access resources. (I realize this is very
simplistic)
The encryption used when sending authentication to an IIS server depends
on how you have configured the IIS server. You have several choices.
Windows Integrated Authentication utilized NTLM or NTLMv2 depending on
the configuration of the IIS server and the domain controllers. Not all
browsers utilize Windows Integrated Authentication. (I think only IE on
Windows will support this.) Basic authentication will send the password
in plain text across the network. With Basic authentication if you want
authentication and encryption, you need to install an SSL certificate
and force you users to use https to access your site. On IIS 6.0 there
is also Digest and .net authentication. I am not familiar with either
of these. The encryption method used does not matter if the machine is
part of the same domain as the IIS server or not.
I hope this helps.
Dennis
-----Original Message-----
From: Roman L. Daszczyszak II [mailto:romandas@gmail.com]
Sent: Thursday, March 10, 2005 3:57 PM
To: focus-ms@securityfocus.com
Subject: Basic question
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Does anyone have a good reference on the differences between LanMan,
NTLM, NTLMv2 and Kerberos? Also, is there any restriction on the length
of a password used across a network/LAN for authentication? I'm aware
in NT/2K/XP/2003 the max length of a password is 127 characters, but am
curious if this is still true for network/domain authentication.
Lastly, I have heard (and would like confirmation/denial) that
authenticating to a domain-based machine from a machine outside the
domain causes an otherwise normally encrypted password to be sent
cleartext when authenticating with an IIS server. Can anyone point me
to references about this?
Thank you for any information y'all can provide.
Roman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCMLSUszjStpsfjf8RAtNLAJsGmQv5p9B1bk7msxzK0zrDkpcSKgCgxEKl
hoC2TjFp71dLF3Regw1c6qA=
=vQB2
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: dave kleiman: "RE: Basic question"
- Maybe in reply to: Roman L. Daszczyszak II: "Basic question"
- Next in thread: Laura A. Robinson: "RE: Basic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
