LM/NTLMv1 Retirement Hosted by LSP Services
What is LM LM stands for LAN Manager Used by Windows 95, 98 ME, NT and is now considered to be a legacy protocol LM is an authentication protocol that uses a particularly weak method of hashing a user's password known as the LM hash algorithm
What is NTLMv1 Abbreviation for “Windows NT LAN Manager” NTLM uses a challenge-response mechanism for authentication Clients are able to prove their identities without sending a password to the server.
Retire Support for LM/NTLMv1 UITS will retire support for both LAN Manager (LM) and NT LAN Manager Version 1 (NTLMv1) authentication protocols by May 22, 2006. After these protocols are disabled, the only authentication protocols accepted by the ADS Domain Controllers will be NTLMv2 and Kerberos. The protocols will not be blocked on the network
Why Retire LM and NTLMv1 Recent improvements in computer hardware and software algorithms have made both LM and NTLMv1 protocols vulnerable to widely published attacks for obtaining user passwords RainbowCrack John the Ripper Proactive Password Explorer SAMInside
How will the Change be Implemented Two Policies will need to set the LM compatibility level to “NTLMv2 response only\refuse LM and NTLM” (Level 5). The first policy to change will be the Default Domain policy. On May 15th, 2006, the project team will set the LM compatibility level to “NTLMv2 response only\refuse LM and NTLM” (Level 5). This will change the default security setting on all Windows workstations and servers in the ADS domain that receive the Default Domain policy. One week later, on May 22, 2006, the Default Domain Controller Policy will be set to "NTLMv2 response only\refuse LM and NTLM” (Level 5). This means that only NTLMv2 authentication will be allowed in our domain. This will effectively disable LM/NTLMv1 use by Windows systems connected to the ADS domain.
LM Compatibility Level Group Policy Name Sends Accepts Prohibits Sending Send LM and NTLM LM, NTLM LM,NTLM, NTLMv2 NTLMv2 1 Send LM and NTLM use NTLMv2 session security if negotiated 2 Send NTLM response only NTLM LM, NTLMv2 3 Send NTLMv2 response only LM, NTLMv1 4 Send NTLMv2 response only/refuse LM NTLM, NTLMv2 LM 5 Send NTLMv2 response only/refuse LM and NTLM LM NTLMv1
When do you use NTLM Creating a new Outlook Profile Accessing a resource on an Active Directory domain member using an IP address rather than a host name Accessing a resource on a windows computer that is not a member of an Active Directory domain Accessing any resource on a Windows-based computer from a computer running Windows 9x or Windows NT 4.0 Accessing any resource on a Windows-based computer from third-party operating system or application that does not support Kerberos
Other Common Authentication Methods Basic Authentication Webpage Authentication (over SSL) Entourage Kerberos Authentication CAS Webmail Windows Domain Logon (IU.EDU) File Shares (SMB) using DNS Host Name Outlook 2003 to Exchange 2003
Known Issues Local machine account access could fail after May 15th Understanding how Outlook works with NTLMv2 Unattended Setup of XP will fail to join the domain if SP2 is not slipstreamed A user is not successfully authenticated when NTLMv2 authentication is used on a Windows Server 2003-based IAS server Windows machines that do not receive the default domain policy may not be able to access resources that require NTLMv2 authentication OS X version 10.3 does not support NTLMv2 Windows 9x/Me computers will be unable to authenticate to the ADS domain Outlook 2001 does not support NTLMv2 and will no longer be usable Clustered computers running versions of Windows prior to Windows Server 2003 Service Pack 1 will break Windows NT 4.0 and support status Versions of Samba prior to 3.0.21 will not support NTLMv2
Understanding How Outlook Works with NTLMv2 How Will Outlook 2001 be Affected by This Change? Outlook 2001 will no longer be useable Use Entourage as a replacement Basic Authentication over SSL Use Outlook Web Access
Understanding How Outlook Works with NTLMv2 How will Outlook XP/2002 and 2003 be Affected by this Change? Create a new Profile Log into a Profile Outlook 2003 No Yes Outlook XP/2002
OS X version 10.3 does not support NTLMv2 Used to access SMB Shares and more Can force OS X to use Kerberos when authenticating to an SMB share see document: http://kb.iu.edu/data/atse.html Microsoft User Authentication Module (UAM) 10.1 will support NTLMv2
Local Machine Account Local machine account access could fail after May 15th Change the LM Compatibility level on the client machine How can I use the local security settings to force NTLMv2? Change the LM Compatibility level on the client server How can I use a GPO to force NTLMv2? How do I override settings in the Default Domain Policy for my OU?
IUB and IUPUI VPN Access Client Machines us MSCHAPv2 to communicate to the VPN server The VPN Server communicates using NTLMv2 to a ADS Domain Controller Note MSCHAP does break in a NTLMv2 only Environment
Who Could be Affected by this Change Machines that are not part of the ADS domain will not receive the Default Domain Policy and will not have their LM Compatibility Level set to 5. This includes home and laptop computers. Machines located in an OU that is blocking the Default Domain Policy will not have their LM Compatibility Level set to 5. Third-party operating system or application
IU Windows Authentication Update The IU Windows Authentication Update will configure your Windows 2000 (or higher) computer to disable insecure LM (LanManager) and NTLMv1 authentication protocols IUWare does use CAS for Authentication
Request a Testing OU UITS Messaging has set up a test domain (mssgtest.iu.edu) with both LM and NTLMv1 protocols disabled We strongly encourage you to leverage this domain to test how your applications and services will behave in an NTLMv2 only environment
Thank You! Questions? Conatact Info: lsps@iu.edu More Information: https://lsps.iu.edu