Re: NTLMv2 vs. Kerberos (Sorry about the similarity)
From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 03/26/04
- Next message: Albert Godfrind: "NT AUTHORITY/SYSTEM vs AUTORITE NT/SYSTEM"
- Previous message: Oli Restorick [MVP]: "Re: SQL DBA Permissions"
- In reply to: GX: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
- Next in thread: GX: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
- Reply: GX: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Mar 2004 12:42:13 -0600
In your situation you could go with at least "send ntlmv2 - refuse lm" for
domain and domain controller security policy and very probably the highest
setting of "send ntlmv2 - refuse lm and ntlm". Kerberos should be used
pretty much all the time on your network anyhow. If you go with the "send
ntlmv2 - refuse lm and ntlm" just let people who should be aware in case a
problem pops up which typically would be a user entering their correct
credentials somehwere and either being denied access or the credential
screen just does not accept what you enter when you know name/password are
correct which I experienced on a ras server. See the link to the Windows
2000 Security hardening Guide below for their recommendations on the lan
manager authentication level settings which pretty much also indicate you
can use the most secure setting or number "5" as it is referred to
here. --- Steve
http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx
"GX" <none@none.com> wrote in message
news:3r_8c.326014$B81.4714510@twister.tampabay.rr.com...
> Steve,
>
> Thanks a lot for the info...
>
> a couple of points to see if we can tune the noise of the answer...
>
> VPN - via cisco solution, then rdp to specific workstations. Only IT
> personell has VPN access. No RAS enable.
>
> Servers - All W2K and W2K3
> Clients - All WinXP PRO
>
> What level would be my best bet?
> "Steven L Umbach" <sumbach@N0spam.ameritech.net> wrote in message
> news:#qAcsv0EEHA.1456@TK2MSFTNGP09.phx.gbl...
> > Kerberos is the default for W2K and is what will be attempted first for
> > authentication with W2K/XP Pro/W2003 domain member machines.
Athentication
> > can however fallback to lm/ntlm/ntlmv2 if kerberos can not be used for
> some
> > reason including using IP address instead of host name to access a share
> or
> > if there is a time skew greater than five minutes between computers. If
> you
> > have auditing of account logon and/or logon events enabled for the
domain
> > controllers, you will see if kerberos is used or not.
> >
> > The security option for lanmanager authentication level is generally
> > configured for compatability with downlevel [W9X/NT4.0] clients. You
> really
> > want to avoid lm as it is very weak [even to hash sniffing] and also
> disable
> > lm hash storage on your domain controllers and even domain members if
not
> > needed for W9X clients. W9X clients use lm by default, but installing
the
> > Directory Services Client on them will allow them to authenticate to the
> > domain with ntlmv2. Of course domain controllers should be secured to
the
> > point where physical access to an attacker would be very difficult.
> >
> > Generally it is a good idea to configure lan manager authentication
level
> > for the domain and on domain controllers via Domain Controller Security
> > Policy to be at least "send ntlmv2 responses only" and if you have no
> > downlevel clients then at least "send ntlmv2 - refuse lm" for Domain
> > Controller Securty policy. Ntlmv2 is by far the strongest of the older
> > authentication methods and all W2K/XP Pro/W2003 machines can use it if
> need
> > be such as in a workgroup environment. The most secure setting "send
> > ntlmv2 - refuse lm and ntlm" can cause problems even with all W2K
> computers
> > in certain situations such as on a W2K ras server where vpn clients may
be
> > unable to authenticate so use that setting carefully. See the links
below
> > for more infomation of configuring the settings for lan manager
> > authentication level. When you read the descriptions, keep in mind that
> they
> > have different meanings depending if the computer is acting as a client
or
> a
> > server. --- Steve
> >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/576.asp
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- read
> > part 10. Excellent info.
> >
> > "GX" <none@none.com> wrote in message
> > news:gLX8c.324196$B81.4701995@twister.tampabay.rr.com...
> > > In a nutshell, what's the difference between these two settings?
> > >
> > > What would one do that the other wont?
> > > I have native mode w2ksvrs. Which one should I select and why?
> > >
> > > Should I establish this on the Domain Security Policy or the Domain
> > > Controller Security Policy level?
> > >
> > > Thanks a bunch.
> > >
> > > GX
> > >
> > >
> >
> >
> >
>
>
- Next message: Albert Godfrind: "NT AUTHORITY/SYSTEM vs AUTORITE NT/SYSTEM"
- Previous message: Oli Restorick [MVP]: "Re: SQL DBA Permissions"
- In reply to: GX: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
- Next in thread: GX: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
- Reply: GX: "Re: NTLMv2 vs. Kerberos (Sorry about the similarity)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
