Security Basics mailing list archives
RE: NTLMv2 on RAS
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 14 May 2004 14:59:46 -0400
You are talking about two different types of authentication protocols. There are several types of Windows authentication protocols: User-Kerberos, NTLMv2, NTLM, LM Machine-certificates, SSL, and others IIS-Anonymous, Digest Authentication, Windows Integrated, Passport Remote-MSCHAP, EAP, EAP-TLS, CHAP, PAP, etc. You are configuring the user authentication protocols, which will have no effect on the remote authentication protocols. It's like using PC Anywhere over the Internet. Your initial connection to the PC Anywhere host is like the remote authentication. Once you sign into PC Anywhere, you still have to hit (I'm hoping you have it configured this way) Ctl-Alt-Del to access Windows. That's the user authentication portion. When you are using RRAS, there are remote and user authentication protocols to consider, but they are independend of each other. Roger ************************************************************************ *** *Roger A. Grimes, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+ *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress) ************************************************************************ **** -----Original Message----- From: Leon North [mailto:leon_nc () linuxmail org] Sent: Friday, May 14, 2004 5:28 AM To: security-basics () securityfocus com Subject: NTLMv2 on RAS We have a stand alone Win2k Server running as a RRAS machine (i.e. local accounts only, NOT a domain member). As part of hardening it, I want to set LM Compatibility to only allow NTLMv2 authentication, which is significantly more secure. This means Win98 and earlier clients couldn't connect to it (without some modification). Fine, since apart from RAS we will only be logged on or connecting to it locally, not from any other machines. My question is will this effect Win98 clients connecting over RAS? RAS clients use remote auth such as MSCHAP (I will also restrict to MSCHAPv2 which Win98 does support), but do RAS clients ONLY use the remote authentication, or do they also use local authentication protocols as well in the process? Or to simplify even further- will configuring the Win2k RRAS LM Compatibility to NTLMv2 impact remote clients connecting via RRAS in any way? Any help appreciated. Leon -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- NTLMv2 on RAS Leon North (May 14)
- Re: NTLMv2 on RAS Paul Kurczaba (May 14)
- <Possible follow-ups>
- RE: NTLMv2 on RAS Roger A. Grimes (May 14)