Regarding all the mails regarding Kerberos and NTLM, I would like to add one
additional remark.
I see that one important feature is also missing in the Windows 2000/2003
environment: the ability to audit what type of authentication is used by the
clients.
Say I want to eliminate NTLM V1 & Lanmanager.
If I'm able to audit all the users that still use thes types of
authentication protocols (Win9x, Samba, NAS appliances), I can warn them and
take appropriate action before actually shutting down the protocol. However
at this moment I'm unable to see what type of logon-requests are still used
by the clients, so I'm unable to contact the persons and warn them before
actually upgrading the security policy.
So I would be nice to be able to audit which of the users/machines is still
using the Lanmanager or NTLM V1 authentication protocol to be able to safely
disable these protocols without causing a lot of problems the day you
disable them.
At this moment you can only audit who is using Kerberos and who is using
Lanmanager/NTLM V1/NTLM V2. The different levels of NTLM/Lanmanager cannot
be audited, so it is therefor impossible to see who is still using NTLMV1
and Lanmanager in a Windows 2000/2003 environment.
Regards,
Frank
_________________________________________________________________
MSN Zoeken, voor duidelijke zoekresultaten! http://search.msn.nl
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such
that just hitting reply is going to result in the message coming to the list,
not to the individual who sent the message. This was done to help reduce the
number of Out of Office messages posters received. So if you want to send a
reply just to the poster, you'll have to copy their email address out of the
message and place it in your TO: field.
-----
