Re: NTLM on Native Domain

From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 04/01/03 

From: "S. Pidgorny [MVP]" <slavickp@yahoo.com>
Date: Tue, 1 Apr 2003 22:10:03 +1000

I'm not sure what part of documentation states that you can disable NTLM -
you can (and should) disable LM and NTLMv1, but you can't get rid of NTLM
whatsoever (make oldish Windows compatible with NTLMv2 - see KB article
239869). Maybe the doco means that in native mode trusts between domains
within forest are Kerberos-based.

Also a good news is that you don't have to enable anything but Kerberos on
the firewall if you have some internally (see
http://www.microsoft.com/windows2000/docs/adsegmented.doc for MS approach to
network segmentation - I use different approach) 

-- 
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-
"Peter K." <pmkdatabase@yahoo.ca> wrote in message
news:su7g8vk3958autt8e7vvluhr6mq9dglcos@4ax.com...
> Hi Svyatoslav,
>
> Thanks for the prompt reply.
>
> I will do as suggested, but I am curious - why this statement in the
> help docs? Is it an oversimplication? Is it that NTLM is not used in
> certains ways that it is in a mixed mode domain, but still used in
> others? If so, where can I find out more (either Internet or books?)
>
> Peter
>
>
> On Mon, 31 Mar 2003 19:46:50 +1000, "S. Pidgorny [MVP]"
> <slavickp@yahoo.com> wrote:
>
> >Peter, NTLM is still enabled in native AD mode - and you can't disable
it.
> >Restrict NTLM use to NTLMv2, use firewalls and IPsec to further restrict
> >unauthorised access to your network.
> >
> >-- 
> >Svyatoslav Pidgorny, MS MVP, MCSE
> >-= F1 is the key =-
> >
> >"Peter K." <pmkdatabase@yahoo.ca> wrote in message
> >news:9lqf8v0r1fe70iu83ljti5gvdmhctume04@4ax.com...
> >> Hi,
> >>
> >> I have a native W2K domain. My event log shows many attempted logons
> >> every day as follows below. These are not from my users.
> >>
> >> My understanding of this quote from the help system is that NTLM is
> >> now disabled on my DCs.
> >>
> >> "If you do not have a mixed-mode network, you can disable NTLM
> >> authentication by switching to native mode at a domain controller"
>
>
> Peter

Relevant Pages

  • RE: Active Directory Security Migration Questions:
    ... Native Mode AD. ... you can then move over the authentication protocol to Kerberos ... look at group policy and search for NTLM. ... mode fresh install without going through Mixed mode to verify. ...
    (Security-Basics)
  • Re: a system in a native mode, support NTLM?
    ... "Sergio Sánchez" wrote in message ... > we want to migrate a system that is in a mixed mode to native mode. ... > users with NTLM protocol. ...
    (microsoft.public.windows.server.active_directory)
  • Re: a system in a native mode, support NTLM?
    ... >> we want to migrate a system that is in a mixed mode to native mode. ... >> users with NTLM protocol. ... >> Could a system in native mode, support NTLM or NTML don´t exist in native ...
    (microsoft.public.windows.server.active_directory)
  • Re: ntlm
    ... NTLM is still used for down level clients. ... means the DCs will no longer talk to NT4 DCs. ... > We are thinking about switching from Windows 2000 mixed to native mode. ... We still have some downlevel clients with those being Windows NT ...
    (microsoft.public.win2000.active_directory)
  • Re: Event log shows NTLM not Kerberos
    ... so this is for a network login. ... Authentication Package: NTLM ... Authentication Package NTLM not Kerberos? ...
    (microsoft.public.security)