NTLMv2 vs. Kerberos (Sorry about the similarity)

[GX]

In a nutshell, what's the difference between these two settings?

What would one do that the other wont?
I have native mode w2ksvrs. Which one should I select and why?

Should I establish this on the Domain Security Policy or the Domain
Controller Security Policy level?

Thanks a bunch.

GX

 

[Steven L Umbach]

Kerberos is the default for W2K and is what will be attempted first for
authentication with W2K/XP Pro/W2003 domain member machines. Athentication
can however fallback to lm/ntlm/ntlmv2 if kerberos can not be used for some
reason including using IP address instead of host name to access a share or
if there is a time skew greater than five minutes between computers. If you
have auditing of account logon and/or logon events enabled for the domain
controllers, you will see if kerberos is used or not.

The security option for lanmanager authentication level is generally
configured for compatability with downlevel [W9X/NT4.0] clients. You really
want to avoid lm as it is very weak [even to hash sniffing] and also disable
lm hash storage on your domain controllers and even domain members if not
needed for W9X clients. W9X clients use lm by default, but installing the
Directory Services Client on them will allow them to authenticate to the
domain with ntlmv2. Of course domain controllers should be secured to the
point where physical access to an attacker would be very difficult.

Generally it is a good idea to configure lan manager authentication level
for the domain and on domain controllers via Domain Controller Security
Policy to be at least "send ntlmv2 responses only" and if you have no
downlevel clients then at least "send ntlmv2 - refuse lm" for Domain
Controller Securty policy. Ntlmv2 is by far the strongest of the older
authentication methods and all W2K/XP Pro/W2003 machines can use it if need
be such as in a workgroup environment. The most secure setting "send
ntlmv2 - refuse lm and ntlm" can cause problems even with all W2K computers
in certain situations such as on a W2K ras server where vpn clients may be
unable to authenticate so use that setting carefully. See the links below
for more infomation of configuring the settings for lan manager
authentication level. When you read the descriptions, keep in mind that they
have different meanings depending if the computer is acting as a client or a
server. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/576.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- read
part 10. Excellent info.

 

[GX]

Steve,

Thanks a lot for the info...

a couple of points to see if we can tune the noise of the answer...

VPN - via cisco solution, then rdp to specific workstations. Only IT
personell has VPN access. No RAS enable.

Servers - All W2K and W2K3
Clients - All WinXP PRO

What level would be my best bet?

Kerberos is the default for W2K and is what will be attempted first for
authentication with W2K/XP Pro/W2003 domain member machines. Athentication
can however fallback to lm/ntlm/ntlmv2 if kerberos can not be used for some
reason including using IP address instead of host name to access a share or
if there is a time skew greater than five minutes between computers. If you
have auditing of account logon and/or logon events enabled for the domain
controllers, you will see if kerberos is used or not.

The security option for lanmanager authentication level is generally
configured for compatability with downlevel [W9X/NT4.0] clients. You really
want to avoid lm as it is very weak [even to hash sniffing] and also disable
lm hash storage on your domain controllers and even domain members if not
needed for W9X clients. W9X clients use lm by default, but installing the
Directory Services Client on them will allow them to authenticate to the
domain with ntlmv2. Of course domain controllers should be secured to the
point where physical access to an attacker would be very difficult.

Generally it is a good idea to configure lan manager authentication level
for the domain and on domain controllers via Domain Controller Security
Policy to be at least "send ntlmv2 responses only" and if you have no
downlevel clients then at least "send ntlmv2 - refuse lm" for Domain
Controller Securty policy. Ntlmv2 is by far the strongest of the older
authentication methods and all W2K/XP Pro/W2003 machines can use it if need
be such as in a workgroup environment. The most secure setting "send
ntlmv2 - refuse lm and ntlm" can cause problems even with all W2K computers
in certain situations such as on a W2K ras server where vpn clients may be
unable to authenticate so use that setting carefully. See the links below
for more infomation of configuring the settings for lan manager
authentication level. When you read the descriptions, keep in mind that they
have different meanings depending if the computer is acting as a client or a
server. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/576.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- read
part 10. Excellent info.

In a nutshell, what's the difference between these two settings?

What would one do that the other wont?
I have native mode w2ksvrs. Which one should I select and why?

Should I establish this on the Domain Security Policy or the Domain
Controller Security Policy level?

Thanks a bunch.

GX

 

[Steven L Umbach]

In your situation you could go with at least "send ntlmv2 - refuse lm" for
domain and domain controller security policy and very probably the highest
setting of "send ntlmv2 - refuse lm and ntlm". Kerberos should be used
pretty much all the time on your network anyhow. If you go with the "send
ntlmv2 - refuse lm and ntlm" just let people who should be aware in case a
problem pops up which typically would be a user entering their correct
credentials somehwere and either being denied access or the credential
screen just does not accept what you enter when you know name/password are
correct which I experienced on a ras server. See the link to the Windows
2000 Security hardening Guide below for their recommendations on the lan
manager authentication level settings which pretty much also indicate you
can use the most secure setting or number "5" as it is referred to
here. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx

Steve,

Thanks a lot for the info...

a couple of points to see if we can tune the noise of the answer...

VPN - via cisco solution, then rdp to specific workstations. Only IT
personell has VPN access. No RAS enable.

Servers - All W2K and W2K3
Clients - All WinXP PRO

What level would be my best bet?

Kerberos is the default for W2K and is what will be attempted first for
authentication with W2K/XP Pro/W2003 domain member machines. Athentication
can however fallback to lm/ntlm/ntlmv2 if kerberos can not be used for some
reason including using IP address instead of host name to access a share or
if there is a time skew greater than five minutes between computers. If you
have auditing of account logon and/or logon events enabled for the domain
controllers, you will see if kerberos is used or not.

The security option for lanmanager authentication level is generally
configured for compatability with downlevel [W9X/NT4.0] clients. You really
want to avoid lm as it is very weak [even to hash sniffing] and also disable
lm hash storage on your domain controllers and even domain members if not
needed for W9X clients. W9X clients use lm by default, but installing the
Directory Services Client on them will allow them to authenticate to the
domain with ntlmv2. Of course domain controllers should be secured to the
point where physical access to an attacker would be very difficult.

Generally it is a good idea to configure lan manager authentication level
for the domain and on domain controllers via Domain Controller Security
Policy to be at least "send ntlmv2 responses only" and if you have no
downlevel clients then at least "send ntlmv2 - refuse lm" for Domain
Controller Securty policy. Ntlmv2 is by far the strongest of the older
authentication methods and all W2K/XP Pro/W2003 machines can use it if need
be such as in a workgroup environment. The most secure setting "send
ntlmv2 - refuse lm and ntlm" can cause problems even with all W2K computers
in certain situations such as on a W2K ras server where vpn clients may be
unable to authenticate so use that setting carefully. See the links below
for more infomation of configuring the settings for lan manager
authentication level. When you read the descriptions, keep in mind that they
have different meanings depending if the computer is acting as a client

or

a
server. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/576.asp

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- read
part 10. Excellent info.

 

[GX]

awsome...thanks a lot...

you menitoned earlier...

You really want to avoid lm as it is very weak [even to hash sniffing]

and also disable lm hash storage on your domain controllers and even domain
members if not needed for W9X clients.

What would be a good way to determine that this is happening? I would like
to be able to justify the setting change. Is there's any toold I can use to
test this transmission between workstations or workstation and server?

Thanks.

GX

 

[Steven L Umbach]

You would need use something like LC4 or perhaps a network sniffer like
Etherreal to capture authentication packets. At the very least you should
change domain and domain controller policy to "send ntlmv2 responses only"
and then the only way you would have lm on your network is if you had a W9X
computer trying to access resources. Even in default security option
settings the W2K/XP/w2003 computers will be using no less secure than ntlm
on a network such as yours that does not have any W9X clients and downlevel
authentication should be used rarely anyhow if only domain accounts are used
to access resources. Enable auditing of account logons for you domain
controllers and I bet you see everything being authenticated via kerberos
for the W2K/XP/W2003 machines. --- Steve

awsome...thanks a lot...

you menitoned earlier...

You really want to avoid lm as it is very weak [even to hash

sniffing]
and also disable lm hash storage on your domain controllers and even domain
members if not needed for W9X clients.

What would be a good way to determine that this is happening? I would like
to be able to justify the setting change. Is there's any toold I can use to
test this transmission between workstations or workstation and server?

Thanks.

GX

 

[Oli Restorick [MVP]]

Steven,

Thanks. Some great info there.

Oli

You would need use something like LC4 or perhaps a network sniffer like
Etherreal to capture authentication packets. At the very least you should
change domain and domain controller policy to "send ntlmv2 responses only"
and then the only way you would have lm on your network is if you had a W9X
computer trying to access resources. Even in default security option
settings the W2K/XP/w2003 computers will be using no less secure than ntlm
on a network such as yours that does not have any W9X clients and downlevel
authentication should be used rarely anyhow if only domain accounts are used
to access resources. Enable auditing of account logons for you domain
controllers and I bet you see everything being authenticated via kerberos
for the W2K/XP/W2003 machines. --- Steve

awsome...thanks a lot...

you menitoned earlier...

You really want to avoid lm as it is very weak [even to hash

sniffing]
and also disable lm hash storage on your domain controllers and even domain
members if not needed for W9X clients.

What would be a good way to determine that this is happening? I would like
to be able to justify the setting change. Is there's any toold I can use to
test this transmission between workstations or workstation and server?

Thanks.

GX

 

[Steven L Umbach]

Thanks Oli! Just trying to help spread the knowledge like you and so many others
o. --- Steve

Steven,

Thanks. Some great info there.

Oli

You would need use something like LC4 or perhaps a network sniffer like
Etherreal to capture authentication packets. At the very least you should
change domain and domain controller policy to "send ntlmv2 responses only"
and then the only way you would have lm on your network is if you had a W9X
computer trying to access resources. Even in default security option
settings the W2K/XP/w2003 computers will be using no less secure than ntlm
on a network such as yours that does not have any W9X clients and downlevel
authentication should be used rarely anyhow if only domain accounts are used
to access resources. Enable auditing of account logons for you domain
controllers and I bet you see everything being authenticated via kerberos
for the W2K/XP/W2003 machines. --- Steve

awsome...thanks a lot...

you menitoned earlier...

You really want to avoid lm as it is very weak [even to hash sniffing]
and also disable lm hash storage on your domain controllers and even domain
members if not needed for W9X clients.

What would be a good way to determine that this is happening? I would like
to be able to justify the setting change. Is there's any toold I can use to
test this transmission between workstations or workstation and server?

Thanks.

GX