Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: kerberos!

from [Rick Bertolett] Network Security [Permanent Link]
Subject: Re: kerberos!
Date: Fri, 10 Sep 2004 08:49:08 -0500 
Russ,
Thanks for the common sense perspective on this issue.  It hits me a bit
close to the heart insofar as it ties into the Computer/Domain "Restrict
Anonymous" security settings.

My own experience is with a native-mode Windows 2000 domain, albeit with
Windows NT 4.0 SP6a clients.  Budgetary concerns prevent quick migration
away from these downlevel clients, alas.  When I implemented this domain, I
initially set "Restrict Anonymous" to 2 (no access without explicit
permissions) and the NTLM authentication level to 4 (NTLMv2 only), as it was
recommended as a "best practice" in securing a domain.  Unfortunately, all
of the NT4 clients then would randomly "fall off" the domain, and users were
unable to login, because the NT4 boxes could not initiate a secure channel
connection to authenticate the machine account.  This is bad.

I had to back off the "Restrict Anonymous" setting to 0, and the NTLM
authentication to 2, per various MS KB articles, this solved the issue and
stablized my domain, but at a cost to security.

I offer this as one exception to your position regarding legacy support, I
agree with Microsoft's practice of supporting downlevel clients (even beyond
the useful life of the OS) because some of us simply cannot upgrade quickly.
Sometimes this process takes years I am sorry to say.  I would agree with a
"default" security setting that was as strong as possible, with a downlevel
client upgrade to support more secure systems.  Absent that, then at the
very least we need detailed configuration directions on how to back down
each setting to accommodate which downlevel client.

One of the Microsoft publications that has helped me the most has been the
Windows 2000 Hardening Guide.  That in addition to study of Hacking Exposed
enables a good start on Windows domain security plans.

Thanks for the bandwidth,
Rick Bertolett
Austin Water Utility
512-972-0225

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Administrivia #29986: A reminder about replies, Russ
Next by Date:  Re: kerberos!, David Schenz
Previous by Thread:  Re: kerberos!, Russ
Next by Thread:  Re: kerberos!, David Schenz
Indexes:  [Date] [Thread] [Top] [All Lists]