RE: Basic question

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 03/15/05

  • Next message: Mason, Samuel: "RE: CONTENT FILTERING" 
    Date: Mon, 14 Mar 2005 21:14:18 -0500
To: "'Roman L. Daszczyszak II'" <romandas@gmail.com>, <focus-ms@securityfocus.com>

    Inline. :-)

    > Does anyone have a good reference on the differences between
    > LanMan, NTLM, NTLMv2 and Kerberos?

    These are a good start:

    http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx#EEAA

    http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.a
    sp

    http://www.isi.edu/gost/brian/security/kerberos.html

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
    roddocs/ens/Default.asp?url=/resources/documentation/WindowsServ/2003/standa
    rd/proddocs/en-us/sag_RASS_MSCHAPv2.asp
    (click around on the other protocols in the navigation pane; the links are
    refusing to copy to my clipboard. <G>)

    I can give you a bazillion or so more, so let me know if you want additional
    links. I also have a couple of documents that I wrote about Kerberos (very,
    erm, goofy analogies but still technically accurate), and I can probably dig
    'em up if you need them. I suspect the above will probably give you plenty,
    however.

    > Also, is there any
    > restriction on the length of a password used across a
    > network/LAN for authentication?

    In which operating systems? In another reply, I addressed much of this, but
    if there's a specific set of operating systems you're referencing, we can
    dig in a little deeper. For example, DOS obviously has "issues". ;-)

    > I'm aware in NT/2K/XP/2003
    > the max length of a password is 127 characters, but am
    > curious if this is still true for network/domain authentication.

    Are you asking if these long passwords work across the network for
    authentication? If so, then yes. I have tested 127 character passwords for
    both VPN and interactive logon, from machines that were in the domain and
    from machines that were not in the domain (in the case of the VPN). One
    thing, however- the Remote Desktops UI "sticks" at 96 characters, in my
    experience. Again, the 127 character password works just fine, but not when
    used from the Remote Desktops MMC. This could just be a glitch in my
    experience, but that is my experience, nonetheless.
    >
    > Lastly, I have heard (and would like confirmation/denial)
    > that authenticating to a domain-based machine from a machine
    > outside the domain causes an otherwise normally encrypted
    > password to be sent cleartext when authenticating with an IIS
    > server.

    Absolutely not. What you were most likely told was a misunderstanding on
    somebody's part of the following:

    If you are connecting to a RAS server that is not a member of a domain, or
    to a third-party RAS device, because these machines cannot "do" domain
    authentication, then in order to authenticate via those RAS servers using
    CHAP, you would need to enable reversible encryption so that the RAS server
    could decrypt your password. Reversibly-encrypted passwords are not stored
    in clear text, but because they are _reversible_, they are trivial to
    attack. If you're enabling reversible encryption at the domain level, those
    reversible hashes are also stored on the DC, which is a big ouch for obvious
    reasons.

    I can assure you, you can have a workstation that is not a member of a
    domain and use that workstation to VPN in without needing to enable
    reversible encryption, and without needing to use CHAP. I just re-tested to
    make sure I wasn't misremembering, in fact. :-) You can VPN from a workgroup
    laptop to a domain RAS server using MS-CHAPv2 with no problems at all. (I
    assume you could also use MS-CHAP or even CHAP, but why would you want to?
    :-) )

    > Can anyone point me to references about this?

    Well, I've seen various articles that could have been the source of the
    misunderstanding on the part of whoever gave you the information that you
    mentioned, but I'm not sure that's what you seek. :-)

    HTH,

    Laura

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Mason, Samuel: "RE: CONTENT FILTERING"

    Relevant Pages

    • Re: Kerberos machine authentication - apparent authentication fail
      ... until a user logon event. ... the Netdiag utility will show the Kerberos error in this scenario ... On these machines I ... me a plausible starting point to solve my Kerberos authentication problem. ...
      (microsoft.public.windows.server.security)
    • RE: Windows Me/98 Client connecting to SQL W2k3
      ... I'm now trying to connect 50 machines across different countries. ... Windows ME and it has a correct MDAC. ... > SQL authentication we do not use. ...
      (microsoft.public.sqlserver.connect)
    • Re: is it possible to change time on a few Servers?
      ... The AD, for security measures, relies on the times being in Synch on ... machines with mis-matched dates. ... Kerberos authentication and, therefore, to Active Directory–based ...
      (microsoft.public.win2000.active_directory)
    • Kerberos machine authentication - apparent authentication failures
      ... network for labbing purposes using my TechNet Plus Server 2003 Ent. ... Three machines are workstations and three are laptop/portables. ... a PASSING Kerberos result is obtained. ... to effectively address the apparent Kerberos authentication failures. ...
      (microsoft.public.windows.server.security)
    • Re: IAS and MD5 error
      ... > a way not have to use the reversible encryption? ... I do not want to use MD5 ... > and I do not want to have to force the users to change their passwords to ... > get the authentication to work. ...
      (microsoft.public.windows.server.security)