[isalist] Re: NTLMv2 Auth Listener
- From: Jerry Young <jerrygyoungii@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Tue, 12 Jan 2010 08:41:27 -0500
If you only ever want to see NTLMv2 authentication traffic, you'll want to
make sure your policy setting for the LAN Manager authentication level is
set to "Send NTLMv2 response only/refuse LM & NTLM". Otherwise, domain
controllers will still accept LM and NTLM authentication from the server;
the client itself (assuming it has the policy) should only use NTLMv2
authentication.
It gets murky for me when you're using a proxy since I'm not sure it
technically constitutes a "client" when it's passing credentials onward to
the domain controller so the "Send NTLMv2 response only/refuse LM & NTLM"
setting should remove any worry of that.
Of course, this same setting needs to be applied to all three computers
(client, proxy, and domain controller).
Here's a fairly verbose Knowledge Base article that goes into more depth.
http://support.microsoft.com/kb/823659
On Tue, Jan 12, 2010 at 1:06 AM, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
> ISA and TMG call Windows standard SSPI mechanisms.
>
> Since it’s within these mechanisms that NTLMv# is enforced, however you
> configure Windows is how ISA/TMG will behave.
>
> ..just like limiting SChannel to SSLv3 or TLS or 128-bit ciphers; we let
> SChannel and SSPI do its tang.
>
>
>
> Us don bee reinventing dem weelz, no.
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Thor (Hammer of God)
> *Sent:* Monday, January 11, 2010 7:18 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] NTLMv2 Auth Listener
>
>
>
> If I have a listener requiring NTML or proxy requiring Windows Integrated
> Authentication, and I have the policy set to require NTLMv2, that is
> enforced and used, correct? Specifically, if I have a Integrate auth proxy
> listener requiring authentication, and I enter my domain\username and
> password, that particular pair is used for NTLMv2 auth, and it thus “immune”
> from Rainbow Table attacks (unless, of course, CUSTOM rainbow tables were
> generated with all known domains). Just making sure as I’m seeing what
> looks like Negotiate NTLMv2 auth against my internal proxy listener, which
> makes me a happy boy, and am making a point against Rainbow Table
> attacks. And no Greg, this “rainbow table” is quite different than where
> you normally sit in Aussie bars.
>
>
>
> t
>
>
>
> ____________________
>
> *Timothy (Thor) Mullen*
>
> *thor@xxxxxxxxxxxxxxx*
>
> *www.hammerofgod.com*
>
> *Air:* 831-706-7712
>
> *Land:* 831-708-THOR
>
> *C:* int main() {string Cell = "831-706-7712";return 0;}
>
> *[image: whitethr-crop]*
>
>
>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com
Other related posts:
