RE: Kerberos and NTLM Authentication protocol
From: David Schenz (schenz.9_at_osu.edu)
Date: 11/11/04
- Previous message: LordInfidel_at_directionweb.com: "RE: Secure Remote access?"
- In reply to: . .: "Kerberos and NTLM Authentication protocol"
- Next in thread: Roger A. Grimes: "RE: Kerberos and NTLM Authentication protocol"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'. .'" <chirobado@hotmail.com>, <security-basics@securityfocus.com> Date: Wed, 10 Nov 2004 21:35:18 -0500
Yes.
The theoretical reason, of course, is security in depth. First, NTLM is used
every day in a network, even in a Win2k+ domain with 2k+ clients for
authentication to cifs shares via ip address, authentication to websites
(depending on configuration), authentication when time differences are too
great for Kerberos, or cross forest authentication (I think). A network is
not a static thing either. People bring in their own laptops and computers
which in an ideal world would be running a so called 'modern' os.
Unfortunately, that ideal world is usually not the case. In larger
environments, the person who creates the gpo does not necessarily control
which computers are brought into a network. All of these scenarios
illustrate why LMCompatability level needs to be set to NTLMv2 only.
HTH,
David
-----Original Message-----
From: . . [mailto:chirobado@hotmail.com]
Sent: Wednesday, November 10, 2004 5:33 PM
To: security-basics@securityfocus.com
Subject: Kerberos and NTLM Authentication protocol
In a domain with DC 2003 and clients all windows 2000 and XP:
* ¿Is there any important reason to change de LMCompatibility level to
prevent using LM/NTLM and use only NTLMv2 in both clients and DCs?
As far as I know, in this enviroment, authentication agains DC is set
through Kerberos v5. Keberos uses the NT Hash, but no NTLM authentication
protocol at all.
If there is no case where NTLM or LM authentication protocol is needed (it
would be needed just between clients, but no w9x or nt clients in the
network)... is there any reason to be "worried"?
Thanks.
_________________________________________________________________
Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor
& Amistad. http://match.msn.es/
- Previous message: LordInfidel_at_directionweb.com: "RE: Secure Remote access?"
- In reply to: . .: "Kerberos and NTLM Authentication protocol"
- Next in thread: Roger A. Grimes: "RE: Kerberos and NTLM Authentication protocol"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
