Presentation on theme: "Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000."— Presentation transcript:
Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000
2 Authentication Protocols NT uses 3 different authentication protocols –Lan Manager (LM) Hash –NTLM –NTLM v2
3 Explanation of Auth. Protocols LanMan Hash –Introduced for backward compatibility (Win95, Win 3x, DOS and OS2) –Uses a Challenge/Response mechanism –Algorithm allows passwords to be attacked in 7 character chunks
4 Explanation of Auth. Protocols (cont.) NTLM –Improves security for connection between NT Clients and Servers –Supports Session Security mechanism for message confidentiality (encryption) and Integrity (signing) –Takes advantage of all 14 characters in the password and allows lower case letters –The key-space for password-derived key is 56 bits.
5 Explanation of Auth. Protocols (cont.) NTLM v2 –Most improved version of NTLM on both authentication and session security mechanism –Available from Service Pack 4 or later –Enhanced implementation of NTLM Security Service Provider (SSP) –Allows clients and servers to require the negotiation of message confidentiality, message integrity, 128 bit encryption and NTLM v2 session security –The key space for password-derived key is 128 bits
6 Goal Get rid of LanMan Hash and NTLM from the network All clients using the same authentication, NTLM v2 –All Clients, LM Compatibility Level 3 –All member servers, LM Compatibility Level 3 –All Domain Controllers, LM Compatibility Level 5
7 Definition of Levels 0 - Sends LM and NTLM response; never use NTLMv2 session security. Clients will use LM and NTLM authentication, and never use NTLMv2 session security. Domain controllers will accept LM, NTLM and NTLMv2 authentication. 1 - Uses NTLMv2 session security if negotiated. Clients will use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM and NTLMv2 authentication. –Bug: according to the documentation, Level 1 still sends the LM response in place of NTLM when possible. 2 - Sends NTLM response only. Clients will only use NTLM authentication, and uses NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM and NTLMv2 authentication.
8 Definition of Levels (Cont.) 3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication, use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM and NTLMv2 authentication. 4 - Domain controller refuses LM responses. Clients will use NTLMv2 authentication, and use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication (instead, it accepts NTLM and NTLMv2). 5 - Domain controller refuses LM and NTLM responses (accepts only NTLMv2). Clients will use NTLMv2 authentication, use NTLMv2 session security if the server supports it. Domain controller refuses NTLM and LM authentication (accepts only NTLMv2).
10 Requirements for using NTLM2 Windows NT 4.0 –Service Pack 4 or better Windows 2000 –Windows 2000 High Encryption Pack Win 9x –Patch from Windows 2000 CD called Dsclient.exe (per Article ID: Q239869) All Systems need to modify their Registry Settings
13 NTLM Security Service Provider (SSP) NtlmMinClientSec and NtlmMinServerSec 0x Message integrity 0x Message confidentiality 0x NTLM 2 session security 0x bit encryption 0x bit encryption Total:
14 Consideration of using NTLM2 During the installation of new clients, they can not join the domain because they are still in the Service Pack 1 If you are using the Wipe & Load installation and source of setup files are in the domain, DOS client can not connect to the source files.
15 NTLM v2 Testing Results All DCs LMCompatibility Level 5 (Accepts NTLM v2 only) All Clients (Win 9x, NT 4.0 SP6a, Win2K) with LMCompatibility Level 3 Results: –Win 9x: authenticated and access all servers –NT 4.0: authenticated and access all servers –Win2K: authenticated but can not access any servers
16 NTLM v2 Testing Results (cont.) DC LevelWin2K LevelResults 00, 1, 2Auth. to DC & access to svrs 03Auth. to DC & No access to svrs 40, 1, 2Auth. to DC & access to svrs 43Auth. to DC & No access to svrs 50, 2No Auth. 51, 3Auth. to DC & No access to svrs
17 Summary If you are using NT 4.0 Domain controllers with mix of Windows (9x, NT and Win2K) machines, you can not use pure NTLM v2. –Microsoft is aware of this problem and working on patches (NTBUGTRAQ report on 9/29/00) In Windows NT 4.0 Domain (levels that work) –All DCs, LMCompatibilityLevel 4 –All Win 9x and NT, LMCompatibilityLevel 3 –All Win2K, LMCompatibilityLevel 2
18 Point to ponder When all clients are in LMCompatibilityLevel 3 (NTLM v2): –NT to NT: authenticated –9x to NT: authenticated –NT to Win2K: authenticated –Win2K to NT: No access –NetApp File Server Version 5.36R1P1 (Vendor said their product can not talk NTLM v2) but NT and 9x with Level 3 can gain access when Win2k can not. Now, whose bug is it? Is it a NT or Win2K bug?
19 Conclusion Security is one of the top priorities in any Computing environment. We need to do whatever we can do to make our environment more secure. If you are in mixed environment like Jefferson Lab, the least you should do is get rid of LanMan Hash until Microsoft solves Win2K with NTLM v2 problem.