Re: NTLMv2 vs. Kerberos (Sorry about the similarity)

From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 03/27/04 

Date: Sat, 27 Mar 2004 14:40:44 -0000

Steven,

Thanks. Some great info there.

Oli

"Steven L Umbach" <sumbach@N0spam.ameritech.net> wrote in message
news:uoUIYG3EEHA.4080@TK2MSFTNGP09.phx.gbl...
> You would need use something like LC4 or perhaps a network sniffer like
> Etherreal to capture authentication packets. At the very least you should
> change domain and domain controller policy to "send ntlmv2 responses only"
> and then the only way you would have lm on your network is if you had a
W9X
> computer trying to access resources. Even in default security option
> settings the W2K/XP/w2003 computers will be using no less secure than
ntlm
> on a network such as yours that does not have any W9X clients and
downlevel
> authentication should be used rarely anyhow if only domain accounts are
used
> to access resources. Enable auditing of account logons for you domain
> controllers and I bet you see everything being authenticated via kerberos
> for the W2K/XP/W2003 machines. --- Steve
>
>
> "GX" <none@none.com> wrote in message
> news:dn%8c.326741$B81.4721890@twister.tampabay.rr.com...
> > awsome...thanks a lot...
> >
> > you menitoned earlier...
> >
> > > > > You really want to avoid lm as it is very weak [even to hash
> sniffing]
> > and also disable lm hash storage on your domain controllers and even
> domain
> > members if not needed for W9X clients.
> >
> > What would be a good way to determine that this is happening? I would
like
> > to be able to justify the setting change. Is there's any toold I can use
> to
> > test this transmission between workstations or workstation and server?
> >
> > Thanks.
> >
> > GX
> >
> >
>
>

Relevant Pages

  • Re: IPSec / domain isolation: confusing MS documents
    ... simply not possible using ipsec and that is their choice. ... network with stated consequences. ... If the domain controllers are Windows 2003 I would use Software ... set the security option for lan manager authentication level to be send ...
    (microsoft.public.windows.server.security)
  • Re: net use and LM / NTLM
    ... For example, two Win2k ... Windows networking authentication is used in x scenario). ... the only time domain controllers need to be configured is to ... Any machine on the network is ...
    (Focus-Microsoft)
  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)
  • Re: IP address assignment problem
    ... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
    (Focus-Microsoft)
  • Re: Kerberos machine authentication - apparent authentication failures
    ... When you joined your computer to the domain your wireless network card was ... denied access until you can authenticate to a domain controller as a user. ... While kerberos is the default authentication protocol of choice, ...
    (microsoft.public.windows.server.security)