Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Kerberos & NTLM Auth in IIS6

from [Trevor] Network Security [Permanent Link]
Subject: RE: Kerberos & NTLM Auth in IIS6
Date: Wed, 15 Jun 2005 17:34:42 -0700 
Thanks, though currently we are not using NTLMv2 authentication for RPC
applications (LMCompatibilty is set to Send LM & NTLM).  I'm still
finding this is a hit and miss to get Integrated Auth to work properly
with clients.  One client changed from DHCP which Integrated Auth worked
fine, to a static IP and it no longer worked (even after removing DNS
entries from the domain and forcing a registerdns).  All other settings
look fine as to what was previously posted.

The question would be, why does it work for some but not others?  That
is what I'm not understanding at this point.

Thanks,
Trevor 

-----Original Message-----
From: nobody@nobody.com [mailto:nobody@nobody.com] 
Sent: Wednesday, June 15, 2005 3:53 AM
To: focus-ms@securityfocus.com
Subject: Re: Kerberos & NTLM Auth in IIS6

A little known fact regarding NTLMv2 is that only those applications
that authenticate using the Local Security Authority (LSA) will be
affected by the LMCompatibility mode setting. That includes file sharing
and domain logons. A number of applications use the NTLM Security
Support Provider Interface (NTLMSSP) to authenticate, and there is a
separate setting to enable
NTLMv2 for them. Examples of such applications include SQL Server (when
using RPC) and many other (secure) RPC-based applications. NTLMv2 for
NTLMSSP has to be enabled on a given machine, both for the machine's
functionality as a server and as a client. The registry has to be edited
to enable NTLMv2 for RPC .
Edit the registry and set the appropriate keys. These keys do not exist
by default or are set to 0.
To set NTLMv2 Security on the server side add the following registry key
To set NTLMv2 Security on the client (Windows 9x/NT/2000/XP) side add
the following registry
key:

Enable NTLMv2 Authentication for NTLM Security Support Provider
Interface (NTLMSSP) mandatory Hive HKEY_LOCAL_MACHINE Key
\System\CurrentControlSet\Control\Lsa\MSV1_0\
Value
Name
NtlmMinServerSec
Type REG_DWORD
Value 0x00080000
Hive HKEY_LOCAL_MACHINE
Key \System\CurrentControlSet\Control\Lsa\MSV1_0\
Value
Name
NtlmMinClientSec
Explanation
Measure
Implementation
NOTE:
Both, the client and server side has to be set to work properly.
When the
"HKLM\System\CurrentControlSet\control\LSA\LMCompatibilityLevel" does
not enable a machine to negotiate NTLMv2 authentication, then this
setting will make certain remote features fail (e.g. mapping of shares).
So the LMCompatibilityLevel must be set to allow
NTLMv2 authentication at the same time.
We were made aware that in cluster solutions the LMCompatibilityLevel
must be set to "Send LM and NTLM responses only" (see also:
<http://support.microsoft.com/default.aspx?scid=kb;ENUS;
q272129> ) and that the registry settings above must not be made at all!
You can find more information about s-RPC at:
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869>
and
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;q147706>


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IE in Kiosk mode, Robert Schwartz
Next by Date:  RE: IE in Kiosk mode, Depp, Dennis M.
Previous by Thread:  Re: Kerberos & NTLM Auth in IIS6, nobody
Next by Thread:  RE: Kerberos & NTLM Auth in IIS6, Ken Schaefer
Indexes:  [Date] [Thread] [Top] [All Lists]