Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: kerberos!

from [Russ] Network Security [Permanent Link]
Subject: Re: kerberos!
Date: Fri, 10 Sep 2004 08:45:21 -0400 
Far too many people replied with "this is expected behavior", for my comfort 
level.

When MS created NTLMv2, in response primarily to MITM attack threats to NTLM, 
we had a thread here regarding the inability for a company who was using 
systems that could do NTLMv2 to prevent fall-back. So MS had provided a 
solution to a real problem, but had not provided any way to ensure the problem 
could not happen again. They subsequently came up with the ability to restrict 
both client and server authentication requirements ("LMCompatabilityLevels".)

That registry key also solved another problem, the ability to put weak LM 
hashes in the SAM, by restricting clients that couldn't do stronger 
authentication techniques.

Nesha's post brings to light (or recasts the spotlight) on the very same issue. 
With the introduction of Kerberos, there should have been some mechanism 
provided whereby non-Kerberos authentication could be excluded from working at 
all.

That fall-back authentication has always been in NT should not translate into 
an inability for more security-minded organizations to eliminate it from their 
environments. This was precisely the argument made that led to 
"LMCompatabilityLevel", and it should have been remembered when Kerberos was 
implemented.

So, tsk tsk to all of you who simply responded with "this is expected 
behavior". It shouldn't be expected, it should only happen if, after 
implementing Kerberos, you specifically choose to allow NTLM fall-back. That 
would be the more secure process, *that* should be the "expected behavior", 
IMNSHO.

Legacy support is the next issue that MS needs to tackle IMO. Default secure 
may well be the norm now for Windows Servers, and hopefully will be the norm 
for Longhorn. Legacy disabled should become the default too.

Cheers,
Russ - Senior Scientist - TruSecure Corporation/NTBugtraq Editor

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: XP SP2: cannot access Disk Manager (LDM) on remote Win 2000 s ystems>>>, Steven McCarthy
Next by Date:  Administrivia #29986: A reminder about replies, Russ
Previous by Thread:  Re: kerberos!, Steve Light
Next by Thread:  Re: kerberos!, Rick Bertolett
Indexes:  [Date] [Thread] [Top] [All Lists]