Re: MSFT Bans insecure hashes - was"Passwords with Lan Manager (LM) under Windows"

[Daniel Miessler <daniel () dmiessler com>]

On Sep 24, 2005, at 4:11 PM, Thor (Hammer of God) wrote:

> Rather than getting into how the basic client-server authentication  
> netlogon protocols are vastly different than IPSec channels, please  
> just answer one of the following questions.  I'll try to make them  
> very simple.
>
> Scenario:  You've got an XP Pro laptop on the Windows network  
> logged on with local credentials.  A network resource on a Win2k  
> server somewhere is accessed, requiring new credentials be entered  
> to access the resource. Please tell us exactly how you force the  
> client and server to use "IPSec based auth" to authenticate the  
> request as opposed to LM, NTLM, or NTLMv2.

Here, let me try:

The issue here is simple: we're trying to authenticate to a Windows  
system, and IPSEC "authentication" is used to authenticate IPSEC  
peers, not Windows users. An analogy would be a situation in which  
authentication is needed for both a secret road to get to work, and  
then also to enter the building at work. The road authentication  
doesn't necessarily work for the building. ;)

--
Daniel R. Miessler
M: daniel () dmiessler com
W: http://dmiessler.com
G: 0x316BC712

Attachment: PGP.sig
Description: This is a digitally signed message part