Bugtraq mailing list archives
Re: Domain password logon authentication bug in Windows 2000 Advanced Server Domain Controller
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Fri, 19 Jul 2002 17:18:32 +0400
Dear Ron Ray, There is no bug. "Send NTLM response only" refers to client, not to server. "Send NTLM response only" means that client computer will not send LM hashed response on server's challenge to server computer. "Send NTLM response only" sets your compatibility level to 2. To disallow LM logon on Domain Controller you need LMCompatibilityLevel 4. HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA Value: LMCompatibilityLevel Value Type: REG_DWORD - Number Valid Range: 0-5 Default: 0 Description: This parameter specifies the type of authentication to be used. Level 0 - Send LM response and NTLM response; never use NTLMv2 session security Level 1 - Use NTLMv2 session security if negotiated Level 2 - Send NTLM authenication only Level 3 - Send NTLMv2 authentication only Level 4 - DC refuses LM authentication Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2) See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q239869 for more information --Thursday, July 18, 2002, 6:42:31 AM, you wrote to bugtraq () securityfocus com: RR> NTLM is supposed to increase the password security by using upper and RR> lower case but my windows 9x client could still log in ignoring the case RR> even though the LAN Manager Authentication Level on the Domain Controller RR> was set to "Send NTLM response only". -- ~/ZARAZA Ну а в целом, Уильям, здешний климат - ежели только это можно назвать климатом, вполне сносный. (Твен)
Current thread:
- Domain password logon authentication bug in Windows 2000 Advanced Server Domain Controller Ron Ray (Jul 18)
- Re: Domain password logon authentication bug in Windows 2000 Advanced Server Domain Controller 3APA3A (Jul 19)