Re: technetID KB321728: NO kerberos support for proxy servers

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: David (david_burghgraeve_at_news.postalias)
Date: 05/13/04 

Date: Thu, 13 May 2004 04:42:29 -0700

> - How it's possible to disable NTLMv2 in a Windows
Domain. (I havent seen
>this before)

You are right,

You can't really eliminiate NTLMv2.
Cfr. http://support.microsoft.com/default.aspx?scid=kb;en-
us;823659 topic 10.

Seems that indeed, microsoft is still incorperating NTLM
into windows2003 as a "fall back" mechanism. Altough you
can secure it in a much stronger way ...

> - The specific security risk of using NTLMv2 between
client and Proxy, and
>how Kerb addresses this risk? You mentioned something
about easily breakable
>hashes?

NTLMv2 contains the password in a hash form.
So, if I can trap (one way or another) this hash, can't I
break it (with a brute force attack). Mostly users have
passwords containing existing words en digits. Let us
agree, the password complixity option is too dificult for
70% of the users to explain.

==> But why do I want to get rid of the NTLM?
We have made a password sync construction. Our Mainframe
OS390 with ACF2 LDS is THE PASSWORD MASTER. When I'm
logged on the mainframe -I'm already logged on to windows
btw- and I have to change my password, Mainframe makes the
password change directly on the active directory using
LDAP (over SSL). By this, the NTLM password string in my
active WindowsXP session doesn't mach the NTLM password
string in the active directory.
 Doing that, every connection with windows2000/2003 en
XP's keep on working (kerberos tickets), but all the
connections with NT4 servers, SAMBA shares on UNIX and -
YES, here it is- our PROXY server using NTLM won't work as
I get password violations and eventually got locked out in
the Domain.

So, if i can eliminate all the NTLM traffic, I have a
working pwdsync and working only by ticketting. We're
almost done with all the NT4 & Unix servers to
Windows2003. Now only one thing stands in my way: THE
PROXY.

>-----Original Message-----
>David,
>
>The security risk here isn't clear to me - could you
explain this in more
>detail please?
>
> - How it's possible to disable NTLMv2 in a Windows
Domain. (I havent seen
>this before)
>
> - The specific security risk of using NTLMv2 between
client and Proxy, and
>how Kerb addresses this risk? You mentioned something
about easily breakable
>hashes?
>
>Further responses inline.
>
>
><david_burghgraeve@news.postalias> wrote in message
>news:c7cb01c438c0$88575e80$a301280a@phx.gbl...
>> Tom,
>>
>> What about http://www.mcpmag.com/columns/article.asp?
>> EditorialsID=179
>>
>> And I quote: "Windows 2000, which uses Kerberos for
>> authentication, accepts LM and NTLM and NTLMv2 for
>> backward compatibility. If you have particular servers
to
>> secure, you can adjust these settings as well. When
you've
>> upgraded all systems to Win2K, you can eliminate NT,
NTLM,
>> and NTLMv2 from your network." (NTLM CAN be eliminitad
by
>> GPO's.)
>
>Quoting from MCP magazine is nice, but it's hardly the
Resource Kit, is it?
>>
>> I posted this topic in this forum to find a solution.
>> In our firm not everyone is allowed to have access to
the
>> internet, and secondly, we want loggings (of course ;o).
>>
>> Now, in our current implementation, you won't get a
prompt
>> if you want to surf on the net, because the proxy can
>> negociate with the pc to get NTLM challenge response,
and
>> the proxy can verify this with our W2K3 Domain
Controller
>> (s).
>
>That's because IE uses NTLM to provide transparent
authentication for your
>users.
>
>>
>> So, if I want to get rid of the "NTLM" in the
>> communication with the proxy, everyone gets a prompt for
>> userid and password. As you all can understand, this is
>> not wanted (negative impact for users).
>
>That's because you're disabling the secure method, and IE
doesn't want to
>give credentials in the clear to just anyone.
>
>
>> => => => Is there a solution using kerberos (or maybe
>> certificates as this is practically the same tech as
>> kerberos) e.g. by using the newest version of ISA
server or
>> other Microsoft tech? (Internet Authentication Service
>> maybe?)
>
>Could you expand on your certificates being the same as
Kerberos point?
>
>>
>> => => => Is NTLMv2 somethning to last forever?
Continuely
>> Sending breakable hashes into large corporate networks?
We
>> want to limit this to practically "zero".
>
>Can you show us how an NTLMv2 hash is insecure for use
with a proxy server
>please? Also, the "sending hashes into large corporate
networks" comment is
>usually mitigated by switches, which only allows "point
to point"
>communication between nodes with defined MAC addresses
for a given TCP
>session, so it's not like they're being broadcast to
everyone in the
>vicinity (unless there are hubs, and Bad People capturing
in
>promiscous-mode).
>
>If NTLMv2 hashes truely aren't secure enough, then you
could use Kerb to
>secure the connection between client perhaps using IPSec
to do so? (if
>you're 100% security conscious, you should be useing
IPsec anyway?)
>
>>
>> Greetings,
>> A very security demanding David!
>>
>> >-----Original Message-----
>> >Hi David,
>> >
>> >There is an Internet Explorer issue, not an ISA issue.
IE
>> will not use Kerberos. Anyhow, you can't eliminate NTLM
>> because its required for many domain related activities.
>> >
>> >HTH,
>> >Tom
>> >www.isaserver.org/shinder
>> >
>> >
>>
>
>
>.
>

Relevant Pages

  • Re: technetID KB321728: NO kerberos support for proxy servers
    ... The security risk here isn't clear to me - could you explain this in more ... - How it's possible to disable NTLMv2 in a Windows Domain. ... > upgraded all systems to Win2K, you can eliminate NT, NTLM, ... > if you want to surf on the net, because the proxy can ...
    (microsoft.public.isa)
  • RE: ADS Password Storage Protection
    ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ...
    (Security-Basics)
  • Re: Error: HTTP/1.1 407 Proxy Authentication Required
    ... It appears that the tool supports server auth, ... Scan through their FAQ and see what they say about proxy authentication. ... It has some built in http tests that supports NTLM ...
    (microsoft.public.isa)
  • Re: Why unable to proxy NTLM?
    ... Windows authentication mechanisms on a web server. ... The reason I want to be able to pass through NTLM is a bit different. ... I want to enable a customised local proxy that checks whether a GET ... not attempt to send the credentials it just gives up on the request ...
    (microsoft.public.isa)
  • Re: IIS 5.0 with Integrated Window Authentication
    ... WHArsenal, SPIKE Proxy, or any of the many other tools. ... NTLM authenticated requests). ... >> I'm doing a security review and penetration test of a site running ...
    (Pen-Test)