Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Determining Your Compliance Options for Windows Domains

Up

The various Windows operating systems perform authentication using several different methods. Some older methods have been shown to be weaker than others.

To meet Critical Host compliance requirements, start by understanding the authentication methods that can exist in your environment. Then choose a compliant configuration from those, or decide on the appropriate change to your configuration.

Note: Any machine running Windows 98 or better is able to run MIT Kerberos client software. Using any campus Kerberos services which authenticate to the ISC-maintained Kerberos KDC will work fine for those machines.

MS Authentication Methods

Source: Q239869: How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT

Abbrev.

Long Name

Comments

LM

Lan Manager Challenge/Response

The only option available in original Win 95

Described by MS as "vulnerable to widely published attacks for obtaining user passwords"

NTLM

NTLMv1; NT Lan Manager version 1

Introduced in NT 4dates to NT

Described by MS as "vulnerable to widely published attacks for obtaining user passwords"

NTLMv2

NT Lan Manager version 2

Introduced with NT SP4, native in Win2000, and added to Win9x.

To enable, install "the Directory Services Client from the Windows 2000 CD-ROM."

"After you upgrade all Windows 95/98 and Windows NT 4.0 computers, you can greatly improve your organization's security by configuring clients, servers, and domain controllers to use only NTLM 2 (not LM or NTLM)."

This authentication is resistent to cracking by l0phtcrack tools.

Use with Dsclient.exe on Win9x -- instructions included in the article referenced above. First install IE 4.x or 5.x for 128-bit security.

MS-krb

Microsoft Kerberos 5

Kerberos-aware versions are Windows 2000 and Windows XP.

Microsoft enhanced MIT's Kerberos to include authorization information as well as authentication information. It uses the Active Directory (AD) to see what each connection's authorization is.

Possible Environments and Possible Options

With a Windows OS Mix such as this ...

Then your compliance options are ...

OS of Domain Server

Must This OS Be Permitted To Access the MS Domain?

(M = "Must", MN = "Must Not", NE = "No effect on your options")

Windows 98

Windows NT

Windows 2000

Windows XP

Windows 2000

MN

MN

M

Exclusive MSkrb authentication using PennKey KDC is possible.

Exclusive MSkrb authentication using AD is possible.

Exclusive NTLMv2 domain authentication is possible.

If, say, a visitor wants to install a Win98 laptop, they will not be able to authenticate to the domain. Configuration of server Registry key for LMCompatibilityLevel and NtlmMinClientSec determine is NTLMv2 is merely allowed or mandated. See referenced document, above, for full details.

Windows 2000

& all hosts, default config

M, one or both

NE

Exclusive MSkrb authentication with or without PennKey KDC is not possible, since Win98 and WinNT don't speak MS Kerberos.

Exclusive NTLMv2 domain authentication not possible if Win98 must be supported.

LM or NTLMv1 domain authentication is fallback, lowest common denominator but low-security authentication.

Windows 2000

& all hosts, enhanced config

M, one or both

NE

Exclusive MSkrb authentication with or without PennKey KDC is not possible, since Win98 and WinNT don't speak MS Kerberos.

Exclusive NTLMv2 is possible.

The enhanced configuration requires installing patches to upgrade authentication components on each host that will use the MS domain. Registry keys must be set to determine when LM/NTLMv1 or NTLMv2 are mandatory or merely allowed.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania