Re: Does eliminating NetBios kill NTLMv2?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/06/04
- Next message: Roger Abell: "Re: Give user acces to regkeys"
- Previous message: jaks: "Forming new group to create a fully stable and secure windows machine"
- In reply to: Jacques Koorts: "Does eliminating NetBios kill NTLMv2?"
- Next in thread: Jacques Koorts: "Re: Does eliminating NetBios kill NTLMv2?"
- Reply: Jacques Koorts: "Re: Does eliminating NetBios kill NTLMv2?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 6 Nov 2004 00:34:44 -0700
Just adding a couple items to the already stated . . .
There is a (actually not so) subtle confusion in these quotes.
LM/NTLM v1/v2 are authentication mechanisms.
NetBIOS has three aspects, one of which is name/location
services (i.e. get IP knowing NetBIOS name) but none of
which are authentication services.
Shutting off NetBIOS forces uplevel clients to use only
DNS for name resolution (and direct hosting on tcp 445 for
the other aspects of NetBIOS).
In default configs, domain members will try the most strong
allowed authentication first (and it really should work if all
is between uplevel machines). (Note: one should alter the
difficult to understand default policy of client machines to use
Ntlm or Lm, that is, excluding Ntlm v2). Since the strongest,
and first tried should work, there should not be a failover
delay - and there is really no reason to expect this to differ
due to how the location for the authentication attempt has
been determined.
How a machine finds where it will try to authenticate is
impacted by whether or not NetBIOS is enabled. Without it
all efforts are DNS only (i.e. there is no room for delays from
wait/retry states in the NetBIOS based name services - just a
failure when DNS cannot resolve the name).
How a machine accesses such as file share resources can
differ also depending on whether NetBIOS (over Tcp/Ip)) is
enabled - leaving room for another performance difference
to be observed.
-- Roger Abell "Jacques Koorts" <jkoorts@ccalimited.com> wrote in message news:10onrinitpc4ued@corp.supernews.com... > Read this in Mark Minasi's articles. > > <quote>I guess that's why shutting down NetBIOS made things faster, as > eliminating > NetBIOS kills LM, NTLM, and NTLMv2.</quote> > > So if you disable Netbios on your computer, your computer will use Kerberos? > What Osses support Kerberos? Is this all auto? > > Here some more from the Article. > > <quote> personally think that the LM "hole" is one that Microsoft should > have > plugged a long time ago through their defaults, but they haven't, probably > because so many clients use Wintendo boxes. With hope we'll see LM just a > bad memory soon, though. I urge you to seriously consider rolling out this > change and let me close this by offering an performance incentive to go "all > NTLMv2:" logons are faster. If you've ever read my pieces on how much > faster NET USE commands become when you shut off NetBIOS, then you probably > wondered why they got so much faster. I never knew either, but since > shutting off NTLM and LM, I've noticed much, much snappier response from my > NET USE commands. I still don't know why, but now I've got a guess: > getting rid of NTLM and LM just plain simplified the logon process. As the > clients and servers have fewer options, things just happen more quickly. I > guess that's why shutting down NetBIOS made things faster, as eliminating > NetBIOS kills LM, NTLM, and NTLMv2.</quote> > > > > >
- Next message: Roger Abell: "Re: Give user acces to regkeys"
- Previous message: jaks: "Forming new group to create a fully stable and secure windows machine"
- In reply to: Jacques Koorts: "Does eliminating NetBios kill NTLMv2?"
- Next in thread: Jacques Koorts: "Re: Does eliminating NetBios kill NTLMv2?"
- Reply: Jacques Koorts: "Re: Does eliminating NetBios kill NTLMv2?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
