Presentation is loading. Please wait.

Presentation is loading. Please wait.

LM/NTLMv1 Retirement Hosted by LSP Services.

Published byJesse Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "LM/NTLMv1 Retirement Hosted by LSP Services."— Presentation transcript:

1 LM/NTLMv1 Retirement Hosted by LSP Services

2 What is LM LM stands for LAN Manager
Used by Windows 95, 98 ME, NT and is now considered to be a legacy protocol LM is an authentication protocol that uses a particularly weak method of hashing a user's password known as the LM hash algorithm

3 What is NTLMv1 Abbreviation for “Windows NT LAN Manager”
NTLM uses a challenge-response mechanism for authentication Clients are able to prove their identities without sending a password to the server.

4 Retire Support for LM/NTLMv1
UITS will retire support for both LAN Manager (LM) and NT LAN Manager Version 1 (NTLMv1) authentication protocols by May 22, 2006. After these protocols are disabled, the only authentication protocols accepted by the ADS Domain Controllers will be NTLMv2 and Kerberos. The protocols will not be blocked on the network

5 Why Retire LM and NTLMv1 Recent improvements in computer hardware and software algorithms have made both LM and NTLMv1 protocols vulnerable to widely published attacks for obtaining user passwords RainbowCrack John the Ripper Proactive Password Explorer SAMInside

6 How will the Change be Implemented
Two Policies will need to set the LM compatibility level to “NTLMv2 response only\refuse LM and NTLM” (Level 5). The first policy to change will be the Default Domain policy. On May 15th, 2006, the project team will set the LM compatibility level to “NTLMv2 response only\refuse LM and NTLM” (Level 5). This will change the default security setting on all Windows workstations and servers in the ADS domain that receive the Default Domain policy. One week later, on May 22, 2006, the Default Domain Controller Policy will be set to "NTLMv2 response only\refuse LM and NTLM” (Level 5). This means that only NTLMv2 authentication will be allowed in our domain. This will effectively disable LM/NTLMv1 use by Windows systems connected to the ADS domain.

7 LM Compatibility Level
Group Policy Name Sends Accepts Prohibits Sending Send LM and NTLM LM, NTLM LM,NTLM, NTLMv2 NTLMv2 1 Send LM and NTLM use NTLMv2 session security if negotiated 2 Send NTLM response only NTLM LM, NTLMv2 3 Send NTLMv2 response only LM, NTLMv1 4 Send NTLMv2 response only/refuse LM NTLM, NTLMv2 LM 5 Send NTLMv2 response only/refuse LM and NTLM LM NTLMv1

8 When do you use NTLM Creating a new Outlook Profile
Accessing a resource on an Active Directory domain member using an IP address rather than a host name Accessing a resource on a windows computer that is not a member of an Active Directory domain Accessing any resource on a Windows-based computer from a computer running Windows 9x or Windows NT 4.0 Accessing any resource on a Windows-based computer from third-party operating system or application that does not support Kerberos

9 Other Common Authentication Methods
Basic Authentication Webpage Authentication (over SSL) Entourage Kerberos Authentication CAS Webmail Windows Domain Logon (IU.EDU) File Shares (SMB) using DNS Host Name Outlook 2003 to Exchange 2003

10 Known Issues Local machine account access could fail after May 15th
Understanding how Outlook works with NTLMv2 Unattended Setup of XP will fail to join the domain if SP2 is not slipstreamed A user is not successfully authenticated when NTLMv2 authentication is used on a Windows Server 2003-based IAS server Windows machines that do not receive the default domain policy may not be able to access resources that require NTLMv2 authentication OS X version 10.3 does not support NTLMv2 Windows 9x/Me computers will be unable to authenticate to the ADS domain Outlook 2001 does not support NTLMv2 and will no longer be usable Clustered computers running versions of Windows prior to Windows Server 2003 Service Pack 1 will break Windows NT 4.0 and support status Versions of Samba prior to will not support NTLMv2

11 Understanding How Outlook Works with NTLMv2
How Will Outlook 2001 be Affected by This Change? Outlook 2001 will no longer be useable Use Entourage as a replacement Basic Authentication over SSL Use Outlook Web Access

12 Understanding How Outlook Works with NTLMv2
How will Outlook XP/2002 and 2003 be Affected by this Change? Create a new Profile Log into a Profile Outlook 2003 No Yes Outlook XP/2002

13 OS X version 10.3 does not support NTLMv2
Used to access SMB Shares and more Can force OS X to use Kerberos when authenticating to an SMB share see document: Microsoft User Authentication Module (UAM) will support NTLMv2

14 Local Machine Account Local machine account access could fail after May 15th Change the LM Compatibility level on the client machine How can I use the local security settings to force NTLMv2? Change the LM Compatibility level on the client server How can I use a GPO to force NTLMv2? How do I override settings in the Default Domain Policy for my OU?

15 IUB and IUPUI VPN Access
Client Machines us MSCHAPv2 to communicate to the VPN server The VPN Server communicates using NTLMv2 to a ADS Domain Controller Note MSCHAP does break in a NTLMv2 only Environment

16 Who Could be Affected by this Change
Machines that are not part of the ADS domain will not receive the Default Domain Policy and will not have their LM Compatibility Level set to 5. This includes home and laptop computers. Machines located in an OU that is blocking the Default Domain Policy will not have their LM Compatibility Level set to 5. Third-party operating system or application

17 IU Windows Authentication Update
The IU Windows Authentication Update will configure your Windows 2000 (or higher) computer to disable insecure LM (LanManager) and NTLMv1 authentication protocols IUWare does use CAS for Authentication

18 Request a Testing OU UITS Messaging has set up a test domain (mssgtest.iu.edu) with both LM and NTLMv1 protocols disabled We strongly encourage you to leverage this domain to test how your applications and services will behave in an NTLMv2 only environment

19 Thank You! Questions? Conatact Info: lsps@iu.edu More Information:

Download ppt "LM/NTLMv1 Retirement Hosted by LSP Services."

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.

Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.

Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.

Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.
Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 

Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 
Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.

Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.
Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.

Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Similar presentations

Ads by Google