RE: Kerberos and NTLM Authentication protocol

• Previous message: David Schenz: "RE: Kerberos and NTLM Authentication protocol"
• Maybe in reply to: . .: "Kerberos and NTLM Authentication protocol"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 10 Nov 2004 23:02:47 -0500
To: ". ." <chirobado@hotmail.com>, <security-basics@securityfocus.com>

There is always a reason why something other than Kerberos must be used for Windows authentication. Kerberos can't be used for dozens of things, including: local logins, legacy trusts, Cluster authentication, anytime UDP RPC is used, RRAS logins, etc.

And you will always need local logins. Besides the local admin account, local logins are used by services and a myriad of other processes behind the scenes.

So, NTLMv2 (or NTLM or LM) can't not be used. It can't be turned off. Windows will always need a "legacy" auth protocol, so if it has to be used, making Windows use NTLMv2 instead of LM or NTLM is a good thing to do.

Roger

***************************************************************************
*Roger A. Grimes, Banneret Computer Security, Computer Security Consultant
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger@banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
****************************************************************************

-----Original Message-----
From: . . [mailto:chirobado@hotmail.com]
Sent: Wednesday, November 10, 2004 5:33 PM
To: security-basics@securityfocus.com
Subject: Kerberos and NTLM Authentication protocol

In a domain with DC 2003 and clients all windows 2000 and XP:

* ¿Is there any important reason to change de LMCompatibility level to prevent using LM/NTLM and use only NTLMv2 in both clients and DCs?

As far as I know, in this enviroment, authentication agains DC is set through Kerberos v5. Keberos uses the NT Hash, but no NTLM authentication protocol at all.

If there is no case where NTLM or LM authentication protocol is needed (it would be needed just between clients, but no w9x or nt clients in the network)... is there any reason to be "worried"?

Thanks.

_________________________________________________________________
Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor & Amistad. http://match.msn.es/

• Previous message: David Schenz: "RE: Kerberos and NTLM Authentication protocol"
• Maybe in reply to: . .: "Kerberos and NTLM Authentication protocol"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]