The various Windows operating systems perform authentication using
several different methods. Some older methods have been shown to be
weaker than others.
To meet Critical Host compliance requirements, start by understanding
the authentication methods that can exist in your environment. Then
choose a compliant configuration from those, or decide on the appropriate change
to your configuration.
Note:Any machine running Windows 98 or better is
able to run MIT Kerberos client software. Using any campus Kerberos
services which authenticate to the ISC-maintained Kerberos KDC will work fine
for those machines.
MS Authentication Methods
Source:
Q239869:
How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT
Abbrev.
Long Name
Comments
LM
Lan Manager Challenge/Response
The only option available in original Win 95
Described by MS as "vulnerable to widely published
attacks for obtaining user passwords"
NTLM
NTLMv1; NT Lan Manager version 1
Introduced in NT 4dates to NT
Described by MS as "vulnerable to widely published
attacks for obtaining user passwords"
NTLMv2
NT Lan Manager version 2
Introduced with NT SP4, native in Win2000, and added to Win9x.
To enable, install "the Directory Services Client from the
Windows 2000 CD-ROM."
"After you upgrade all Windows 95/98 and Windows NT 4.0 computers, you
can greatly improve your organization's security by configuring
clients, servers, and domain controllers to use only NTLM 2 (not LM or
NTLM)."
This authentication
is resistent to cracking by l0phtcrack tools.
Use with Dsclient.exe on Win9x -- instructions included in the
article referenced above. First
install IE 4.x or 5.x for 128-bit security.
MS-krb
Microsoft Kerberos 5
Kerberos-aware versions are Windows 2000 and Windows XP.
Microsoft enhanced MIT's Kerberos to include authorization
information as well as authentication information. It uses
the Active Directory (AD) to see what each connection's authorization
is.
Possible Environments and Possible Options
With a Windows OS Mix such as this ...
Then your compliance options are ...
OS of Domain Server
Must This OS Be Permitted To Access the MS Domain?
(M = "Must", MN = "Must Not", NE = "No effect on your options")
Windows 98
Windows NT
Windows 2000
Windows XP
Windows 2000
MN
MN
M
Exclusive MSkrb authentication using PennKey KDC is possible.
Exclusive MSkrb authentication using AD is possible.
Exclusive NTLMv2 domain authentication is possible.
If, say, a visitor wants to install a Win98 laptop, they will not be able
to authenticate to the domain. Configuration of server Registry
key for LMCompatibilityLevel and NtlmMinClientSec determine is
NTLMv2 is merely allowed or mandated. See referenced document, above,
for full details.
Windows 2000
& all hosts, default config
M, one or both
NE
Exclusive MSkrb authentication with or without PennKey KDC
is not possible, since Win98 and WinNT don't speak MS Kerberos.
Exclusive NTLMv2 domain authentication not possible if Win98
must be supported.
LM or NTLMv1 domain authentication is fallback, lowest common
denominator but low-security authentication.
Windows 2000
& all hosts, enhanced config
M, one or both
NE
Exclusive MSkrb authentication with or without PennKey KDC
is not possible, since Win98 and WinNT don't speak MS Kerberos.
Exclusive NTLMv2 is possible.
The enhanced
configuration requires installing patches to upgrade
authentication components on each host that will use the MS domain.
Registry keys must be set to determine when LM/NTLMv1 or NTLMv2
are mandatory or merely allowed.
