Security Basics mailing list archives

RE: Kerberos and NTLM Authentication protocol

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Wed, 10 Nov 2004 23:02:47 -0500

There is always a reason why something other than Kerberos must be used for Windows authentication.  Kerberos can't be 
used for dozens of things, including: local logins, legacy trusts, Cluster authentication, anytime UDP RPC is used, 
RRAS logins, etc.

And you will always need local logins.  Besides the local admin account, local logins are used by services and a myriad 
of other processes behind the scenes.

So, NTLMv2  (or NTLM or LM) can't not be used.  It can't be turned off.  Windows will always need a "legacy" auth 
protocol, so if it has to be used, making Windows use NTLMv2 instead of LM or NTLM is a good thing to do. 

Roger

***************************************************************************
*Roger A. Grimes, Banneret Computer Security, Computer Security Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
****************************************************************************



-----Original Message-----
From: . . [mailto:chirobado () hotmail com] 
Sent: Wednesday, November 10, 2004 5:33 PM
To: security-basics () securityfocus com
Subject: Kerberos and NTLM Authentication protocol

In a domain with DC 2003 and clients all windows 2000 and XP:

* ¿Is there any important reason to change de LMCompatibility level to prevent using LM/NTLM and use only NTLMv2 in 
both clients and DCs?

As far as I know, in this enviroment, authentication agains DC is set through Kerberos v5. Keberos uses the NT Hash, 
but no NTLM authentication protocol at all.

If there is no case where NTLM or LM authentication protocol is needed (it would be needed just between clients, but no 
w9x or nt clients in the network)... is there any reason to be "worried"?

Thanks.

_________________________________________________________________
Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor & Amistad. http://match.msn.es/

Current thread:

Kerberos and NTLM Authentication protocol . . (Nov 10)
- RE: Kerberos and NTLM Authentication protocol David Schenz (Nov 12)
- <Possible follow-ups>
- RE: Kerberos and NTLM Authentication protocol Roger A. Grimes (Nov 12)