Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.

Slides:

Advertisements

Similar presentations

Preparing for Installation Reviewing the list of tasks Working with DNS Recording information Backing up files Uncompressing the drive Disabling disk mirroring.

Advertisements

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

1 MD5 Cracking One way hash. Used in online passwords and file verification.

Chapter 7 HARDENING SERVERS.

Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar Amit Golander.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.

Ariel Eizenberg PPP Security Features Ariel Eizenberg

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Remote Desktop Security Raghav Chawla, Jon Ussery Group 20.

Windows 2003 and 802.1x Secure Wireless Deployments.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Windows Security Mechanisms Al Bento - University of Baltimore.

Real Security InterSwyft Technical information's.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.

WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from

Working with Workgroups and Domains

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.

Chapter 3 Installing Windows XP Professional. Preparing for installation Pre-installation requirement; ◦ Hardware requirements ◦ Hardware compatibility.

Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.

Lesson 17-Windows 2000/Windows 2003 Server Security Issues.

Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.

FORESEC Academy FORESEC Academy Security Essentials (V)

HEPiX-HEPNT 2000 Report Enrico M.V. Fasanelli & Gian Piero Siroli.

Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Compatibility and Interoperability Requirements

W2K and Kerberos at FNAL Jack Mark

Module 1: Installing Microsoft Windows XP Professional.

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

NT4 SP4 Security Jack Schmidt - Fermilab

W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

Hacking Windows What to do first?  Patch : of course the first thing to do is apply SP3 and the critical updates. More will come …critical updates.

WINDOWS NT Network Architecture Amy, Mei-Hsuan Lu CML/CSIE/NTU August 19, 1998.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

General Concerns on WWW Security Name: Huaying Chen ID# Instructor: Dr Mort Anvari.

1 Overview of Microsoft Windows 2000 Multipurpose OS Reduces total cost of ownership (TCO)

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

KERBEROS SYSTEM Kumar Madugula.

LM/NTLMv1 Retirement Hosted by LSP Services.

1 Installing Microsoft Exchange 2000 Server Installation Types Postinstallation Considerations.

Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.

By Daniel Grim. What Is Windows NT? IPSEC/Windows Firewall NTFS File System Registry Permissions Managing User Accounts Conclusion Outline.

Security Data Transmission and Authentication Lesson 9.

Cryptography CSS 329 Lecture 13:SSL.

1 Example security systems n Kerberos n Secure shell.

4 Securing Secure the hardware –Lock the server room and other ways to get access to the hardware. –Password protect the BIOS-setup Secure the NOS.

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

Web and Proxy Server.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 1: Overview of Planning A Windows Server 2003 Network.

A Wireless LAN Security Protocol

Network Operating Systems Examples

Jim Fawcett CSE686 – Internet Programming Summer 2005

Lesson 16-Windows NT Security Issues

Presentation transcript:

Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000

2 Authentication Protocols NT uses 3 different authentication protocols –Lan Manager (LM) Hash –NTLM –NTLM v2

3 Explanation of Auth. Protocols LanMan Hash –Introduced for backward compatibility (Win95, Win 3x, DOS and OS2) –Uses a Challenge/Response mechanism –Algorithm allows passwords to be attacked in 7 character chunks

4 Explanation of Auth. Protocols (cont.) NTLM –Improves security for connection between NT Clients and Servers –Supports Session Security mechanism for message confidentiality (encryption) and Integrity (signing) –Takes advantage of all 14 characters in the password and allows lower case letters –The key-space for password-derived key is 56 bits.

5 Explanation of Auth. Protocols (cont.) NTLM v2 –Most improved version of NTLM on both authentication and session security mechanism –Available from Service Pack 4 or later –Enhanced implementation of NTLM Security Service Provider (SSP) –Allows clients and servers to require the negotiation of message confidentiality, message integrity, 128 bit encryption and NTLM v2 session security –The key space for password-derived key is 128 bits

6 Goal Get rid of LanMan Hash and NTLM from the network All clients using the same authentication, NTLM v2 –All Clients, LM Compatibility Level 3 –All member servers, LM Compatibility Level 3 –All Domain Controllers, LM Compatibility Level 5

7 Definition of Levels 0 - Sends LM and NTLM response; never use NTLMv2 session security. Clients will use LM and NTLM authentication, and never use NTLMv2 session security. Domain controllers will accept LM, NTLM and NTLMv2 authentication. 1 - Uses NTLMv2 session security if negotiated. Clients will use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM and NTLMv2 authentication. –Bug: according to the documentation, Level 1 still sends the LM response in place of NTLM when possible. 2 - Sends NTLM response only. Clients will only use NTLM authentication, and uses NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM and NTLMv2 authentication.

8 Definition of Levels (Cont.) 3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication, use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM and NTLMv2 authentication. 4 - Domain controller refuses LM responses. Clients will use NTLMv2 authentication, and use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication (instead, it accepts NTLM and NTLMv2). 5 - Domain controller refuses LM and NTLM responses (accepts only NTLMv2). Clients will use NTLMv2 authentication, use NTLMv2 session security if the server supports it. Domain controller refuses NTLM and LM authentication (accepts only NTLMv2).

9 Summary of Definition Levels Protocols LM**** ****** NTLM**** **** ****** NTLM v2 * ***** ****** Clients - Send * Domain Controllers - Receive *

10 Requirements for using NTLM2 Windows NT 4.0 –Service Pack 4 or better Windows 2000 –Windows 2000 High Encryption Pack Win 9x –Patch from Windows 2000 CD called Dsclient.exe (per Article ID: Q239869) All Systems need to modify their Registry Settings

11 NTLM v2 Registry setting - Clients HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\LS A –Value Name: LMCompatibilityLevel –Data Type: REG_DWORD –Value: 3 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\LS A\MSV1_0 –Value Name:NtlmMinClientSec –Data Type: REG_DWORD –Value: –Value Name:NtlmMinServerSec –Data Type: REG_DWORD –Value:

12 NTLM v2 Registry setting - DCs HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control –Value Name: LMCompatibilityLevel –Data Type: REG_DWORD –Value: 5 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\LS A\MSV1_0 –Value Name:NtlmMinClientSec –Data Type: REG_DWORD –Value: –Value Name:NtlmMinServerSec –Data Type: REG_DWORD –Value:

13 NTLM Security Service Provider (SSP) NtlmMinClientSec and NtlmMinServerSec 0x Message integrity 0x Message confidentiality 0x NTLM 2 session security 0x bit encryption 0x bit encryption Total:

14 Consideration of using NTLM2 During the installation of new clients, they can not join the domain because they are still in the Service Pack 1 If you are using the Wipe & Load installation and source of setup files are in the domain, DOS client can not connect to the source files.

15 NTLM v2 Testing Results All DCs LMCompatibility Level 5 (Accepts NTLM v2 only) All Clients (Win 9x, NT 4.0 SP6a, Win2K) with LMCompatibility Level 3 Results: –Win 9x: authenticated and access all servers –NT 4.0: authenticated and access all servers –Win2K: authenticated but can not access any servers

16 NTLM v2 Testing Results (cont.) DC LevelWin2K LevelResults 00, 1, 2Auth. to DC & access to svrs 03Auth. to DC & No access to svrs 40, 1, 2Auth. to DC & access to svrs 43Auth. to DC & No access to svrs 50, 2No Auth. 51, 3Auth. to DC & No access to svrs

17 Summary If you are using NT 4.0 Domain controllers with mix of Windows (9x, NT and Win2K) machines, you can not use pure NTLM v2. –Microsoft is aware of this problem and working on patches (NTBUGTRAQ report on 9/29/00) In Windows NT 4.0 Domain (levels that work) –All DCs, LMCompatibilityLevel 4 –All Win 9x and NT, LMCompatibilityLevel 3 –All Win2K, LMCompatibilityLevel 2

18 Point to ponder When all clients are in LMCompatibilityLevel 3 (NTLM v2): –NT to NT: authenticated –9x to NT: authenticated –NT to Win2K: authenticated –Win2K to NT: No access –NetApp File Server Version 5.36R1P1 (Vendor said their product can not talk NTLM v2) but NT and 9x with Level 3 can gain access when Win2k can not. Now, whose bug is it? Is it a NT or Win2K bug?

19 Conclusion Security is one of the top priorities in any Computing environment. We need to do whatever we can do to make our environment more secure. If you are in mixed environment like Jefferson Lab, the least you should do is get rid of LanMan Hash until Microsoft solves Win2K with NTLM v2 problem.