Re: Does eliminating NetBios kill NTLMv2?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/05/04


Date: Fri, 05 Nov 2004 22:51:55 GMT

Disabling netbios over tcp/ip does not eliminate downlevel authentication.
You can verify that by disabling it on a domain controller and then using
\\xxx.xxx.xxx.xxx\sysvol to connect to the sysvol share using it's IP
address instead of name and look in the security log of the domain
controller to see the authentication method used. You can control/manage
authentication methods used in the domain with the lan manager
authentication level security option in Domain and Domain Controller
Security Policy. W2K/XP Pro/W2003 domain computers will use kerberos by
default as long as the computer name is used instead of IP address and the
time on the computer is all within the default five minute skew which should
not be a problem with domain computers unless you have one that loses time
very rapidly as domain computers synch their time with the pdc fsmo in their
domain. By default domain computer are configured to use nt/ntlm only which
I would recommend changing to send ntlmv2 responses only unless you have W9X
computers in the domain offering shares to domain users that do not have the
Directory Services Client installed.. --- Steve

"Jacques Koorts" <jkoorts@ccalimited.com> wrote in message
news:10onrinitpc4ued@corp.supernews.com...
> Read this in Mark Minasi's articles.
>
> <quote>I guess that's why shutting down NetBIOS made things faster, as
> eliminating
> NetBIOS kills LM, NTLM, and NTLMv2.</quote>
>
> So if you disable Netbios on your computer, your computer will use
> Kerberos?
> What Osses support Kerberos? Is this all auto?
>
> Here some more from the Article.
>
> <quote> personally think that the LM "hole" is one that Microsoft should
> have
> plugged a long time ago through their defaults, but they haven't, probably
> because so many clients use Wintendo boxes. With hope we'll see LM just a
> bad memory soon, though. I urge you to seriously consider rolling out
> this
> change and let me close this by offering an performance incentive to go
> "all
> NTLMv2:" logons are faster. If you've ever read my pieces on how much
> faster NET USE commands become when you shut off NetBIOS, then you
> probably
> wondered why they got so much faster. I never knew either, but since
> shutting off NTLM and LM, I've noticed much, much snappier response from
> my
> NET USE commands. I still don't know why, but now I've got a guess:
> getting rid of NTLM and LM just plain simplified the logon process. As
> the
> clients and servers have fewer options, things just happen more quickly.
> I
> guess that's why shutting down NetBIOS made things faster, as eliminating
> NetBIOS kills LM, NTLM, and NTLMv2.</quote>
>
>
>
>
>



Relevant Pages

  • Netlogon 5783
    ... For about there mounts I<m having small network problem, with clients, that ... The session setup to the Windows NT or Windows 2000 Domain Controller ... On DC1r there is Exchange 2000 server, witch is Exchange system manager is ... The failure code from authentication protocol Kerberos ...
    (microsoft.public.win2000.networking)
  • Re: Remote site BDCs wont auth clients when T1 to AD 2003 is down LTLM?
    ... Depending on what clients you have if you do not have additional W2K DCs ... Put a W2K DC at every site the you want authentication to continue if the ... 298713 How to Prevent Overloading on the First Domain Controller During ... I have tried forcing the AD controller to do NTLM only- but that ...
    (microsoft.public.security)
  • Re: Remote site BDCs wont auth clients when T1 to AD 2003 is down LTLM?
    ... Depending on what clients you have if you do not have additional W2K DCs ... Put a W2K DC at every site the you want authentication to continue if the ... 298713 How to Prevent Overloading on the First Domain Controller During ... I have tried forcing the AD controller to do NTLM only- but that ...
    (microsoft.public.win2000.security)
  • Re: Backup Domain controller??
    ... > The Primary vs. Backup Domain Controller concept went out the door in NT4, ... > Be sure to define Sites & Subnets for your domain controllers and clients, ... > since this will reduce authentication traffic going across your T1. ... >> I believe that in the NT days, this server would have been a BDC. ...
    (microsoft.public.windows.server.general)
  • RE: Domain Controller Best Practice - Thanks!
    ... You may not be sharing your SAM file, but then again you probably don't ... And isn't it just handy that this same system is the Domain Controller. ... Generally speaking and in your defense, you can come up with security ... All user authentication is occurring on this system. ...
    (Focus-Microsoft)