Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers and Ex
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/05/04
- Previous message: Andy David - Exchange MVP: "Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers and Exchange 2003?"
- In reply to: Research Services: "Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers and Ex"
- Next in thread: Andrei Ungureanu: "Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers an"
- Reply: Andrei Ungureanu: "Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers an"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 4 Oct 2004 20:12:57 -0500
Domain controllers do not need NBT to replicate amongst themselves but I
believe there will be a problem with exchange. If you disable NBT keep in
mind that there may be problems with the use of my Network Places if used.
Domain controllers are usually domain master and master browsers, though
elections would happen if other computers on the network still use it.
Keep in mind that Remote Access Servers will not authenticate users if
configured to not allow lm and ntlm. It will work if you disable just lm
which is by far the biggest vulnerability. Also unless you configure
security options on Windows 2003 Servers and modify the registry on W2K
servers, lm hashes of passwords will still be stored and if you disable
that. the lm hash for a users password will still exist until they change
their password. --- Steve
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:eUYl4OjqEHA.3428@TK2MSFTNGP11.phx.gbl...
> Thanks for your response.
>
> You indicate that Domain Controllers (may?) need NetBIOS for Active
> Directory replication - do you know if there are any Microsoft documents
> that address this "requirement" directly?
>
>
>
>
> "Andrei Ungureanu" <AndreiUngureanu@discussions.microsoft.com> wrote in
> message news:64B7F953-413E-4332-8B53-1D46C54CFAC3@microsoft.com...
>> hmmm .. about NTLMv1/LM ... I don't think it's a problem disabling them
>> (maybe only if you have some very old OS on your network). Regarding
>> NETBIOS
>> ... I think the domain controller need this functionality for the
>> replication. Anyway, for fully disable NETBIOS and SMB check
>> http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/a0604.mspx
>> (as you can see it's not enough to check Disable Netbios over TCP/IP from
>> Advanced TCP/IP settings).
>>
>> Andrei Ungureanu
>> www.eventid.net
>> Free Windows event logs reports
>> http://www.altairtech.ca/evlog/
>>
>>
>>
>> "Research Services" wrote:
>>
>>> Is it possible to safely DISABLE NetBIOS and/or NTLMv1/LM on all Windows
>>> 2000 and Windows 2003 Domain Controllers and/or Exchange 2003 servers
>>> (within our own child domain) without affecting Windows networking
>>> communications adversely?
>>> We are a child domain in a single forest, we are NOT Enterprise
>>> Administrators. Our DCs and Exchange are currently configured to refuse
>>> and
>>> not send LM.
>>> All clients are Windows XP with NetBIOS already disabled and only talk
>>> NTLMv2, there are no down-level clients (i.e., Win9x, NT4, Mac) in our
>>> child
>>> domain.
>>> We are not sure if this will affect AD replication, especially between
>>> other
>>> child domains in the forest not controlled by us - OR if Exchange 2003
>>> relies on NetBIOS and/or less than NTLMv2 to function correctly.
>>>
>>> Thanks for any input or help.
>>>
>>>
>>>
>>>
>
>
- Previous message: Andy David - Exchange MVP: "Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers and Exchange 2003?"
- In reply to: Research Services: "Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers and Ex"
- Next in thread: Andrei Ungureanu: "Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers an"
- Reply: Andrei Ungureanu: "Re: Disable NetBIOS and NTLM on Windows 2003 Domain Controllers an"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
