Re: Disable ALL Lan Manager Authentication

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/20/05 

Date: Tue, 20 Sep 2005 16:58:59 -0500

It is not possible to completely disable it. There are also cases where it
is required such as for VPN and I also believe possibly some implementations
of Exchange. You can manage lan manager authentication level to allow only
ntlmv2 which also is a pretty robust authentication protocol though again be
careful with Exchange and VPN servers. You could also configure sensitive
domain servers [not domain controllers] with an ipsec require policy which
by default would use kerberos for computer authentication before access
would be allowed and in such case it would be impossible say for a Windows
98 or non domain computer to access the ipsec required server. Ipsec is a
fairly complex topic and must be configured correctly and tested [ideally on
a test domain], particularly for domain controllers, or all sorts of
problems will ensue. The link below is a great article on ipsec even if you
just read the appendixes which will give you an excellent understanding of
ipsec and how to use it. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

"jeff" <jeff@discussions.microsoft.com> wrote in message
news:F3C142CC-854C-4037-9C6B-DA4DFD744FFD@microsoft.com...
> Hello...
>
> I'm in a pure Windows 2003 domain environment with Windows XP clients. All
> servers and workstations are joined to the domain. We are at Windows 2003
> forest
> functional level.
>
> I know kerberos is the default authentication protocol. But...
>
> I have been asked...(if possible) to completely disable all levels of Lan
> Manager authentication capabilities from out
> environment...LM..NTLM..NTLMv2
>
> is this possible.....?
>
> Thanks

Relevant Pages

  • IIS 6.0 Kerberos authentication
    ... I have AAA site in IIS 6 on Windows 2003 Server. ... The AAA site uses Windows Integrated authentication. ... Windows 2003 Servers in the same domain - i have been prompted to enter user ... NTLM settings and Security settings on all Windows 2003 ...
    (microsoft.public.inetserver.iis.security)
  • Re: MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows"
    ... we're trying to authenticate to a Windows ... and IPSEC "authentication" is used to authenticate IPSEC ... authentication is needed for both a secret road to get to work, ...
    (Pen-Test)
  • Re: Passwords with Lan Manager (LM) under Windows
    ... "advisable to make IPsec-based authentication a part of the authentication ... For authentication, IPSec allows you to use the Kerberos V5 protocol, ... Passwords with Lan Manager under Windows ...
    (Pen-Test)
  • Re: IPsec tunnel from the commandline
    ... as I know this can only be scripted for Windows 2003 with netsh. ... > Can someone please help me by showing me how to create an IPSec tunnel ... The servers are at different ...
    (microsoft.public.security)
  • Windows update fails.
    ... I have a mixed environment of windows 2003 Standard edition and windows 2000. ... The 2003 servers run AD and the 2000 servers do not. ... Whenever I try to access any website from the 2000 boxes they keep on asking ... After providing the necessary authentication they ...
    (microsoft.public.windowsupdate)