Re: Windows 9x clients authentication

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 12/02/04


Date: Thu, 02 Dec 2004 20:10:32 GMT

You might try disabling lm in the domain by using Domain Security Policy and
configuring the lan manger authentication level to be "send ntlmv2 responses
only/refuse lm" . That is a security option under security settings/local
policies/security options. I am not sure if Windows ME can use ntlm as
installed [W95/98 definitely can not] and any of them can use ntlm or ntlmv2
if the user installs the Directory Services Client on the operating system.
The link below explains a bit more.

http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html

The only really secure method would be to use ipsec "require" policy on all
computers that you do not want these operating systems to access. Be default
in a domain ipsec uses kerberos for computer authentication which would
preclude down-level operating systems. Keep in mind however that ipsec
negotiation polices require that domain controllers be exempted by their
static IP addresses [via a rule with a permit filter action] for
communications to non domain controller domain members because they are the
kerberos key distribution centers. Ipsec also has some overhead involved
though you can configure policy to use AH only to reduce that if you do not
need data encrypted. Never deploy an ipsec policy without some testing
first as you can shut down the domain if done wrong. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
 -- basics of ipsec for W2K.

"shehab" <kakashikan@yahoo.com> wrote in message
news:37A353AC-2DB2-4A05-A032-7F2B812292A9@microsoft.com...
> Dear sir's
> on a network with a windows 2000 advanced server domain is there a way not
> to allow windows 95,98 and ME clients to authenticate or log on to the
> domain? (note: i want to deny the access for the operating systems not the
> user accounts or computer accounts) which meens if a user has a dual boot
> (2000 pro,98) he can access and log onto the domain but when booted with
> windows 98 , he can't
> thank you for your help
>
> best regards



Relevant Pages

  • RE: Passwords with Lan Manager (LM) under Windows
    ... A device's security associations are contained in its Security Association Database ... Internet Protocol Security (IPSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows 2000 operating system. ... As for "article you reference does indeed use the phrase "IPSec Authentication," but as any who reads it ...
    (Pen-Test)
  • Re: IPSEC Failing (Secure Server)
    ... Troubleshooting IPSec ... exchanges by enabling Audit Policy, which causes security events to be ... logged in the security log of the Event Viewer. ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ...
    (microsoft.public.windows.server.networking)
  • Re: OU Security - best setup?
    ... configure the Domain Security Policy to use password complexity as poor passwords are ... Pro computers however can use ipsec and domain controllers must be exempt from ipsec ... > restrict what users can ...
    (microsoft.public.win2000.security)
  • RE: Access to well-known ports on Win2K
    ... IPSEc does not provide security at the user level; ... policy - works for all users of the machine; and can allow or block access ... many routes for deployment as you mention: Group Policy; Local Security ... > TCP/IP Filtering does not provide port level security at the ...
    (Focus-Microsoft)
  • Re: authentication problem
    ... double or triple duty most traffic [authentication and AD replication] is ... laptops and I bring up ipsec as a possible solution with the caveat on ... domain controllers because many admins right away want to enable the require ... policy at the domain level which can bring their network to it's knees. ...
    (microsoft.public.win2000.security)