Re: NTLM through firewall?

From: Jeff Mallinger (jmallinger@lifeserv.com)
Date: 03/27/03 

From: "Jeff Mallinger" <jmallinger@lifeserv.com>
Date: Wed, 26 Mar 2003 20:45:47 -0600

That brings an interesting question: if I were to then add HTTPS/SSL to my
site - and if I had both Basic & Chall/Response authentication turned on
(and anon access turned off) -- and still assuming that clients would
attempt NTLM first and then Basic -- would clients that were able to NTLM
authenticate send an encrypted NTLM credentials... making that the most
secure method of authenticating? Or is it that once ssl encryption is
enabled, that it wouldn't make a difference between NTLM hashing vs. clear
text?

-j

"x y, mvp" <levinson_k@despammed.com> wrote in message
news:OxNrtV88CHA.2308@TK2MSFTNGP11.phx.gbl...
> I concur that NTLM is not the best security choice for over the internet
> [unless maybe you are using VPN]. NTLM is not exactly clear text, but is
> not solidly encrypted either. Better choice across the network is Basic
> with HTTPS / SSL. The bonus is that this latter setup will work with
other
> browsers and other OSes.
>
> "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> news:b5sjas$a1h31@kcweb01.netnews.att.com...
> > FWIW, Windows Integrated Authentication was really only intended for
(and
> > works best in) an intranet environment where the client workstations are
> > directly logged on to the domain. I think the results you saw with
Win98
> > are directly related to the different way how Win98 connects to Windows
> > domain networks (as opposed to more secure W2K/WXP clients).
>
>
>

Relevant Pages

  • RE: Kerberos and NTLM Authentication protocol
    ... authentication to cifs shares via ip address, ... A network is ... Kerberos and NTLM Authentication protocol ... In a domain with DC 2003 and clients all windows 2000 and XP: ...
    (Security-Basics)
  • Re: Remote site BDCs wont auth clients when T1 to AD 2003 is down LTLM?
    ... Depending on what clients you have if you do not have additional W2K DCs ... Put a W2K DC at every site the you want authentication to continue if the ... 298713 How to Prevent Overloading on the First Domain Controller During ... I have tried forcing the AD controller to do NTLM only- but that ...
    (microsoft.public.security)
  • Re: Remote site BDCs wont auth clients when T1 to AD 2003 is down LTLM?
    ... Depending on what clients you have if you do not have additional W2K DCs ... Put a W2K DC at every site the you want authentication to continue if the ... 298713 How to Prevent Overloading on the First Domain Controller During ... I have tried forcing the AD controller to do NTLM only- but that ...
    (microsoft.public.win2000.security)
  • RE: Basic question
    ... encryption used and removed the 7 character limits on the encryption. ... The encryption used when sending authentication to an IIS server depends ... Windows Integrated Authentication utilized NTLM or NTLMv2 depending on ...
    (Focus-Microsoft)
  • RE: ADS Password Storage Protection
    ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ...
    (Security-Basics)