JSI Tip 0976. SP4 Authentication enhancements.


In tip 807, I introduced LMCompatibilityLevel.

Prior to Windows NT 4.0 SP4, NT supported LanManager (LM) challenge/response and Windows NT (NTLM) challenge/response.

SP4 implements a third authentication methods called NTLMv2, which is significantly more secure, and a mechanism for the servers / clients to control which NTLM variant is used.

NOTE: NTLM authentication using all 14 password characters, mixed case ,Alpha/Numerics, and special characters can take 2000+ years to crack using a 200MHz Pentium Pro. See http://www.rsa.com/des/.

The changes effect any application that uses RPC or NTLM SSP.

NTLMv2 is automatically used when both client and server are running SP4, but must be configured for the datagram variant. Use Regedt32 to navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA

Add Value name LMCompatibilityLevel as a type REG_DWORD. The default value is 0:


   Level 0 - Send LM response and NTLM response; never use NTLMv2 session security
   Level 1 - Use NTLMv2 session security if negotiated
   Level 2 - Send NTLM response only
   Level 3 - Send NTLMv2 response only
   Level 4 - DC refuses LM responses
   Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)
To control NTLM SSP, navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\MSV1_0

Configure the following values:


   Value: NtlmMinClientSec
   Value Type: REG_DWORD - The default value is 0.
   Valid Range: the logical 'or' of any of the following values:
                0x00000010
                0x00000020
                0x00080000
                0x20000000

   Value: NtlmMinServerSec
   Value Type: REG_DWORD - The default value is 0.
   Valid Range: same as NtlmMinClientSec
   Description: This parameter specifies the minimum security to be used.
               0x00000010  Message integrity
               0x00000020  Message confidentiality
               0x00080000  NTLMv2 session security
               0x20000000  128 bit encryption
If the bit with value 0x00000010 is set in the NtlmMinClientSec or NtlmMinServerSec value, the connection will fail if message integrity is not negotiated.

If the bit with value 0x00000020 is set in the NtlmMinClientSec or NtlmMinServerSec value, the connection will fail if message confidentiality is not negotiated.

If the bit with value 0x00080000 is set in the NtlmMinClientSec or NtlmMinServerSec value, the connection will fail if NTLMv2 session security is not negotiated.

If the bit with value 0x20000000 is set in the NtlmMinClientSec or NtlmMinServerSec value, the connection will fail if 128-bit encryption is not negotiated.

LMCompatibilityLevel - Clients

SP4 clients can not use level 3 or greater unless all the domain controllers are running SP4.

SP4 clients using Level 2 or greater prevents connection to all non-NT Windows variants unless the domain controllers run SP4.

SP4 clients using level 3 or greater will always send NTLMv2, which can pass through NT Servers and non-NT Windows variants as long as the domain controllers are running SP4. Share level security is not supported.

SP4 Clients using level 1 or greater must only change passwords from an SP4 box.

LMCompatibilityLevel - Servers/DCs

SP4 servers using level 4 or greater can not be connected to from a non-NT Windows variant.

SP4 DC using level 4 or greater requires Windows NT clients.

SP4 DC using level 5 requires Windows NT 4.0 SP4 clients.

If you wish to implement NTLMv2, I recommend:

- Upgrade all servers/DCs to SP4.

- Clients that are running SP3 can use level 3 or greater.

- If users in an account domain never need to access non-NT Windows variants, set that DC to 4. Set it to 5 once all clients are running SP4.

Shut down and restart Windows NT for these changes to take effect.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish