Re: technetID KB321728: NO kerberos support for proxy servers

From: Bloopy (none_at_nowhere.com)
Date: 05/13/04

• Next message: Dwayne: "How to delete out of cache"
• Previous message: Don Scott: "Re: strange connection problems"
• In reply to: David: "Re: technetID KB321728: NO kerberos support for proxy servers"
• Next in thread: Thomas W Shinder [MVP]: "Re: technetID KB321728: NO kerberos support for proxy servers"
• Messages sorted by: [ date ] [ thread ]

Date: Thu, 13 May 2004 21:54:28 +1000

I don't think the hashes are actually what's sent on the wire when
authenticating the browser; it's a derivation of the hash.

So, perhaps the issue could be simplified down to the point at which it's
most problematic: you're not replacing your password hash in your XP
session. XP knows when to do this, when using NET PASSWORD or C+A+Del,
change password, but if the password is being changed on the DC directly, it
has no way of knowing this until you get an access denied type message and
are forced to re-authenticate or re-logon.

My personal suggestion would be to implement the mainframe sync from AD - I
think Metadirectory or MIIS (or whatever it is this year) might be usable to
do this (depending on the mainframe), or you could implement a custom
password filter on the DCs, so that when the user changes their password in
AD (via C+A+Del, so XP knows it's been updated and updates its local cache),
it's synced to the mainframe, rather than the reverse...

http://msdn.microsoft.com/library/en-us/security/security/management_functions.asp?FRAME=true
(see Password Filter Functions for the functions to implement).

For me, it would be more of a worry that the kerb ticket was still valid if
the password's changed, but that's just a side effect of ticket lifetime...

"David" <david_burghgraeve@news.postalias> wrote in message
news:c7d701c438df$5f1c2900$a501280a@phx.gbl...
>
> > - How it's possible to disable NTLMv2 in a Windows
> Domain. (I havent seen
> >this before)
>
> You are right,
>
> You can't really eliminiate NTLMv2.
> Cfr. http://support.microsoft.com/default.aspx?scid=kb;en-
> us;823659 topic 10.
>
> Seems that indeed, microsoft is still incorperating NTLM
> into windows2003 as a "fall back" mechanism. Altough you
> can secure it in a much stronger way ...
>
> > - The specific security risk of using NTLMv2 between
> client and Proxy, and
> >how Kerb addresses this risk? You mentioned something
> about easily breakable
> >hashes?
>
> NTLMv2 contains the password in a hash form.
> So, if I can trap (one way or another) this hash, can't I
> break it (with a brute force attack). Mostly users have
> passwords containing existing words en digits. Let us
> agree, the password complixity option is too dificult for
> 70% of the users to explain.
>
> ==> But why do I want to get rid of the NTLM?
> We have made a password sync construction. Our Mainframe
> OS390 with ACF2 LDS is THE PASSWORD MASTER. When I'm
> logged on the mainframe -I'm already logged on to windows
> btw- and I have to change my password, Mainframe makes the
> password change directly on the active directory using
> LDAP (over SSL). By this, the NTLM password string in my
> active WindowsXP session doesn't mach the NTLM password
> string in the active directory.
> Doing that, every connection with windows2000/2003 en
> XP's keep on working (kerberos tickets), but all the
> connections with NT4 servers, SAMBA shares on UNIX and -
> YES, here it is- our PROXY server using NTLM won't work as
> I get password violations and eventually got locked out in
> the Domain.
>
> So, if i can eliminate all the NTLM traffic, I have a
> working pwdsync and working only by ticketting. We're
> almost done with all the NT4 & Unix servers to
> Windows2003. Now only one thing stands in my way: THE
> PROXY.
>
>
>
>
> >-----Original Message-----
> >David,
> >
> >The security risk here isn't clear to me - could you
> explain this in more
> >detail please?
> >
> > - How it's possible to disable NTLMv2 in a Windows
> Domain. (I havent seen
> >this before)
> >
> > - The specific security risk of using NTLMv2 between
> client and Proxy, and
> >how Kerb addresses this risk? You mentioned something
> about easily breakable
> >hashes?
> >
> >Further responses inline.
> >
> >
> ><david_burghgraeve@news.postalias> wrote in message
> >news:c7cb01c438c0$88575e80$a301280a@phx.gbl...
> >> Tom,
> >>
> >> What about http://www.mcpmag.com/columns/article.asp?
> >> EditorialsID=179
> >>
> >> And I quote: "Windows 2000, which uses Kerberos for
> >> authentication, accepts LM and NTLM and NTLMv2 for
> >> backward compatibility. If you have particular servers
> to
> >> secure, you can adjust these settings as well. When
> you've
> >> upgraded all systems to Win2K, you can eliminate NT,
> NTLM,
> >> and NTLMv2 from your network." (NTLM CAN be eliminitad
> by
> >> GPO's.)
> >
> >Quoting from MCP magazine is nice, but it's hardly the
> Resource Kit, is it?
> >>
> >> I posted this topic in this forum to find a solution.
> >> In our firm not everyone is allowed to have access to
> the
> >> internet, and secondly, we want loggings (of course ;o).
> >>
> >> Now, in our current implementation, you won't get a
> prompt
> >> if you want to surf on the net, because the proxy can
> >> negociate with the pc to get NTLM challenge response,
> and
> >> the proxy can verify this with our W2K3 Domain
> Controller
> >> (s).
> >
> >That's because IE uses NTLM to provide transparent
> authentication for your
> >users.
> >
> >>
> >> So, if I want to get rid of the "NTLM" in the
> >> communication with the proxy, everyone gets a prompt for
> >> userid and password. As you all can understand, this is
> >> not wanted (negative impact for users).
> >
> >That's because you're disabling the secure method, and IE
> doesn't want to
> >give credentials in the clear to just anyone.
> >
> >
> >> => => => Is there a solution using kerberos (or maybe
> >> certificates as this is practically the same tech as
> >> kerberos) e.g. by using the newest version of ISA
> server or
> >> other Microsoft tech? (Internet Authentication Service
> >> maybe?)
> >
> >Could you expand on your certificates being the same as
> Kerberos point?
> >
> >>
> >> => => => Is NTLMv2 somethning to last forever?
> Continuely
> >> Sending breakable hashes into large corporate networks?
> We
> >> want to limit this to practically "zero".
> >
> >Can you show us how an NTLMv2 hash is insecure for use
> with a proxy server
> >please? Also, the "sending hashes into large corporate
> networks" comment is
> >usually mitigated by switches, which only allows "point
> to point"
> >communication between nodes with defined MAC addresses
> for a given TCP
> >session, so it's not like they're being broadcast to
> everyone in the
> >vicinity (unless there are hubs, and Bad People capturing
> in
> >promiscous-mode).
> >
> >If NTLMv2 hashes truely aren't secure enough, then you
> could use Kerb to
> >secure the connection between client perhaps using IPSec
> to do so? (if
> >you're 100% security conscious, you should be useing
> IPsec anyway?)
> >
> >>
> >> Greetings,
> >> A very security demanding David!
> >>
> >> >-----Original Message-----
> >> >Hi David,
> >> >
> >> >There is an Internet Explorer issue, not an ISA issue.
> IE
> >> will not use Kerberos. Anyhow, you can't eliminate NTLM
> >> because its required for many domain related activities.
> >> >
> >> >HTH,
> >> >Tom
> >> >www.isaserver.org/shinder
> >> >
> >> >
> >>
> >
> >
> >.
> >

• Next message: Dwayne: "How to delete out of cache"
• Previous message: Don Scott: "Re: strange connection problems"
• In reply to: David: "Re: technetID KB321728: NO kerberos support for proxy servers"
• Next in thread: Thomas W Shinder [MVP]: "Re: technetID KB321728: NO kerberos support for proxy servers"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint