Re: Domain password logon authentication bug in Windows 2000 Advanced Server Domain Controller

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Ron Ray,

There  is  no  bug.  "Send  NTLM response only" refers to client, not to
server.  "Send  NTLM  response only" means that client computer will not
send  LM hashed response on server's challenge to server computer. "Send
NTLM  response  only" sets your compatibility level to 2. To disallow LM
logon on Domain Controller you need LMCompatibilityLevel 4.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA

Value: LMCompatibilityLevel
   Value Type: REG_DWORD - Number
   Valid Range: 0-5
   Default: 0
   Description: This parameter specifies the type of authentication to be
   used.

   Level 0 - Send LM response and NTLM response; never use NTLMv2 session
             security
   Level 1 - Use NTLMv2 session security if negotiated
   Level 2 - Send NTLM authenication only
   Level 3 - Send NTLMv2 authentication  only
   Level 4 - DC refuses LM authentication
   Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)


See  http://support.microsoft.com/default.aspx?scid=kb;en-us;Q239869 for
more information

--Thursday, July 18, 2002, 6:42:31 AM, you wrote to bugtraq () securityfocus com:

RR> NTLM is supposed to increase the password security by using upper and
RR> lower case but my windows 9x client could still log in ignoring the case 
RR> even though the LAN Manager Authentication Level on the Domain Controller 
RR> was set to "Send NTLM response only".


-- 
~/ZARAZA
Ну а в целом, Уильям, здешний климат - ежели только
это можно назвать климатом, вполне сносный. (Твен)