Re: Does eliminating NetBios kill NTLMv2?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/05/04


Date: Fri, 05 Nov 2004 22:51:55 GMT

Disabling netbios over tcp/ip does not eliminate downlevel authentication.
You can verify that by disabling it on a domain controller and then using
\\xxx.xxx.xxx.xxx\sysvol to connect to the sysvol share using it's IP
address instead of name and look in the security log of the domain
controller to see the authentication method used. You can control/manage
authentication methods used in the domain with the lan manager
authentication level security option in Domain and Domain Controller
Security Policy. W2K/XP Pro/W2003 domain computers will use kerberos by
default as long as the computer name is used instead of IP address and the
time on the computer is all within the default five minute skew which should
not be a problem with domain computers unless you have one that loses time
very rapidly as domain computers synch their time with the pdc fsmo in their
domain. By default domain computer are configured to use nt/ntlm only which
I would recommend changing to send ntlmv2 responses only unless you have W9X
computers in the domain offering shares to domain users that do not have the
Directory Services Client installed.. --- Steve

"Jacques Koorts" <jkoorts@ccalimited.com> wrote in message
news:10onrinitpc4ued@corp.supernews.com...
> Read this in Mark Minasi's articles.
>
> <quote>I guess that's why shutting down NetBIOS made things faster, as
> eliminating
> NetBIOS kills LM, NTLM, and NTLMv2.</quote>
>
> So if you disable Netbios on your computer, your computer will use
> Kerberos?
> What Osses support Kerberos? Is this all auto?
>
> Here some more from the Article.
>
> <quote> personally think that the LM "hole" is one that Microsoft should
> have
> plugged a long time ago through their defaults, but they haven't, probably
> because so many clients use Wintendo boxes. With hope we'll see LM just a
> bad memory soon, though. I urge you to seriously consider rolling out
> this
> change and let me close this by offering an performance incentive to go
> "all
> NTLMv2:" logons are faster. If you've ever read my pieces on how much
> faster NET USE commands become when you shut off NetBIOS, then you
> probably
> wondered why they got so much faster. I never knew either, but since
> shutting off NTLM and LM, I've noticed much, much snappier response from
> my
> NET USE commands. I still don't know why, but now I've got a guess:
> getting rid of NTLM and LM just plain simplified the logon process. As
> the
> clients and servers have fewer options, things just happen more quickly.
> I
> guess that's why shutting down NetBIOS made things faster, as eliminating
> NetBIOS kills LM, NTLM, and NTLMv2.</quote>
>
>
>
>
>