RE: NTLMv2 on RAS

["Roger A. Grimes" <roger () banneretcs com>]

You are talking about two different types of authentication protocols.
There are several types of Windows authentication protocols:

User-Kerberos, NTLMv2, NTLM, LM
Machine-certificates, SSL, and others
IIS-Anonymous, Digest Authentication, Windows Integrated, Passport
Remote-MSCHAP, EAP, EAP-TLS, CHAP, PAP, etc.

You are configuring the user authentication protocols, which will have
no effect on the remote authentication protocols.

It's like using PC Anywhere over the Internet.  Your initial connection
to the PC Anywhere host is like the remote authentication.  Once you
sign into PC Anywhere, you still have to hit (I'm hoping you have it
configured this way) Ctl-Alt-Del to access Windows.  That's the user
authentication portion.  When you are using RRAS, there are remote and
user authentication protocols to consider, but they are independend of
each other.


Roger

************************************************************************
***
*Roger A. Grimes, Computer Security Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
************************************************************************
****



-----Original Message-----
From: Leon North [mailto:leon_nc () linuxmail org] 
Sent: Friday, May 14, 2004 5:28 AM
To: security-basics () securityfocus com
Subject: NTLMv2 on RAS

We have a stand alone Win2k Server running as a RRAS machine (i.e. local
accounts only, NOT a domain member). As part of hardening it, I want to
set LM Compatibility to only allow NTLMv2 authentication, which is
significantly more secure. This means Win98 and earlier clients couldn't
connect to it (without some modification). Fine, since apart from RAS we
will only be logged on or connecting to it locally, not from any other
machines.

My question is will this effect Win98 clients connecting over RAS? RAS
clients use remote auth such as MSCHAP (I will also restrict to MSCHAPv2
which Win98 does support), but do RAS clients ONLY use the remote
authentication, or do they also use local authentication protocols as
well in the process?

Or to simplify even further- will configuring the Win2k RRAS LM
Compatibility to NTLMv2 impact remote clients connecting via RRAS in any
way?

Any help appreciated.

Leon
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org This allows
you to send and receive SMS through your mailbox.


Powered by Outblaze

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors. 
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------