Re: NTLMv2 vs. Kerberos (Sorry about the similarity)

From: GX (none_at_none.com)
Date: 03/26/04

• Next message: Oli Restorick [MVP]: "Re: SQL DBA Permissions"
• Previous message: Jeff Cochran: "Re: SQL DBA Permissions"
• In reply to: Steven L Umbach: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
• Next in thread: Steven L Umbach: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
• Reply: Steven L Umbach: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 26 Mar 2004 18:15:27 GMT

Steve,

Thanks a lot for the info...

a couple of points to see if we can tune the noise of the answer...

VPN - via cisco solution, then rdp to specific workstations. Only IT
personell has VPN access. No RAS enable.

Servers - All W2K and W2K3
Clients - All WinXP PRO

What level would be my best bet?
"Steven L Umbach" <sumbach@N0spam.ameritech.net> wrote in message
news:#qAcsv0EEHA.1456@TK2MSFTNGP09.phx.gbl...
> Kerberos is the default for W2K and is what will be attempted first for
> authentication with W2K/XP Pro/W2003 domain member machines. Athentication
> can however fallback to lm/ntlm/ntlmv2 if kerberos can not be used for
some
> reason including using IP address instead of host name to access a share
or
> if there is a time skew greater than five minutes between computers. If
you
> have auditing of account logon and/or logon events enabled for the domain
> controllers, you will see if kerberos is used or not.
>
> The security option for lanmanager authentication level is generally
> configured for compatability with downlevel [W9X/NT4.0] clients. You
really
> want to avoid lm as it is very weak [even to hash sniffing] and also
disable
> lm hash storage on your domain controllers and even domain members if not
> needed for W9X clients. W9X clients use lm by default, but installing the
> Directory Services Client on them will allow them to authenticate to the
> domain with ntlmv2. Of course domain controllers should be secured to the
> point where physical access to an attacker would be very difficult.
>
> Generally it is a good idea to configure lan manager authentication level
> for the domain and on domain controllers via Domain Controller Security
> Policy to be at least "send ntlmv2 responses only" and if you have no
> downlevel clients then at least "send ntlmv2 - refuse lm" for Domain
> Controller Securty policy. Ntlmv2 is by far the strongest of the older
> authentication methods and all W2K/XP Pro/W2003 machines can use it if
need
> be such as in a workgroup environment. The most secure setting "send
> ntlmv2 - refuse lm and ntlm" can cause problems even with all W2K
computers
> in certain situations such as on a W2K ras server where vpn clients may be
> unable to authenticate so use that setting carefully. See the links below
> for more infomation of configuring the settings for lan manager
> authentication level. When you read the descriptions, keep in mind that
they
> have different meanings depending if the computer is acting as a client or
a
> server. --- Steve
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/576.asp
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- read
> part 10. Excellent info.
>
> "GX" <none@none.com> wrote in message
> news:gLX8c.324196$B81.4701995@twister.tampabay.rr.com...
> > In a nutshell, what's the difference between these two settings?
> >
> > What would one do that the other wont?
> > I have native mode w2ksvrs. Which one should I select and why?
> >
> > Should I establish this on the Domain Security Policy or the Domain
> > Controller Security Policy level?
> >
> > Thanks a bunch.
> >
> > GX
> >
> >
>
>
>

---

• Next message: Oli Restorick [MVP]: "Re: SQL DBA Permissions"
• Previous message: Jeff Cochran: "Re: SQL DBA Permissions"
• In reply to: Steven L Umbach: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
• Next in thread: Steven L Umbach: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
• Reply: Steven L Umbach: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Add another domain controller to a SBS 2003 environment ... either side of the VPN from authenticating across the VPN. ... I would not perform DCPROMO over a VPN connection. ... Sent via Windows Mail on Windows Vista, ... from the other domain controllers to the Windows SBS-based domain ... (microsoft.public.windows.server.sbs) Re: SBS2003 VPN ... SBS DOES allow other domain controllers! ... >utilizing windows VPN. ... Do we just install windows 2003 server standard at the remote ... >remote sites to allow the remote users to VPN back to the main office. ... (microsoft.public.windows.server.sbs) Enable RRAS as a VPN and I lose RDP ... both are configured as domain controllers. ... I installed RRAS on the one I have here at work and as soon as it ... longer able to connect through remote desktop. ... remote desktop would no longer work once RRAS is set up as a VPN? ... (microsoft.public.windows.server.networking) Re: win 98 client cannot logon to w2k DC. ... authentication level incompatibilities. ... tcp/ip to find domain controllers which means that you would want to use ... wins and make the W9X computers and domain controllers wins clients. ... (microsoft.public.win2000.security) Routing and Remote Access on Windows 2003 Server ... I am trying to enable VPN for a client. ... I have 2 domain controllers in one ... idea why I am getting this error message? ... (microsoft.public.windows.server.networking)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)