Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000
Download ReportTranscript Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000
Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000 Authentication Protocols • NT uses 3 different authentication protocols – Lan Manager (LM) Hash – NTLM – NTLM v2 2 Explanation of Auth. Protocols • LanMan Hash – Introduced for backward compatibility (Win95, Win 3x, DOS and OS2) – Uses a Challenge/Response mechanism – Algorithm allows passwords to be attacked in 7 character chunks 3 Explanation of Auth. Protocols (cont.) • NTLM – Improves security for connection between NT Clients and Servers – Supports Session Security mechanism for message confidentiality (encryption) and Integrity (signing) – Takes advantage of all 14 characters in the password and allows lower case letters – The key-space for password-derived key is 56 bits. 4 Explanation of Auth. Protocols (cont.) • NTLM v2 – Most improved version of NTLM on both authentication and session security mechanism – Available from Service Pack 4 or later – Enhanced implementation of NTLM Security Service Provider (SSP) – Allows clients and servers to require the negotiation of message confidentiality, message integrity, 128 bit encryption and NTLM v2 session security – The key space for password-derived key is 128 bits 5 Goal • Get rid of LanMan Hash and NTLM from the network • All clients using the same authentication, NTLM v2 – All Clients, LM Compatibility Level 3 – All member servers, LM Compatibility Level 3 – All Domain Controllers, LM Compatibility Level 5 6 Definition of Levels • 0 - Sends LM and NTLM response; never use NTLMv2 session security. Clients will use LM and NTLM authentication, and never use NTLMv2 session security. Domain controllers will accept LM, NTLM and NTLMv2 authentication. • 1 - Uses NTLMv2 session security if negotiated. Clients will use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM and NTLMv2 authentication. – Bug: according to the documentation, Level 1 still sends the LM response in place of NTLM when possible. • 2 - Sends NTLM response only. Clients will only use NTLM authentication, and uses NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM and NTLMv2 authentication. 7 Definition of Levels (Cont.) • 3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication, use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM and NTLMv2 authentication. • 4 - Domain controller refuses LM responses. Clients will use NTLMv2 authentication, and use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication (instead, it accepts NTLM and NTLMv2). • 5 - Domain controller refuses LM and NTLM responses (accepts only NTLMv2). Clients will use NTLMv2 authentication, use NTLMv2 session security if the server supports it. Domain controller refuses NTLM and LM authentication (accepts only NTLMv2). 8 Summary of Definition Levels 0 1 2 3 4 * * * * * * * * * * * * * * * * * * * * * 5 Protocols LM NTLM NTLM v2 * Clients - Send * Domain Controllers - Receive * 9 Requirements for using NTLM2 • Windows NT 4.0 – Service Pack 4 or better • Windows 2000 – Windows 2000 High Encryption Pack • Win 9x – Patch from Windows 2000 CD called Dsclient.exe • (per Article ID: Q239869) • All Systems need to modify their Registry Settings 10 NTLM v2 Registry setting Clients • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\LS A – Value Name: LMCompatibilityLevel – Data Type: REG_DWORD – Value: 3 • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\LS A\MSV1_0 – Value Name:NtlmMinClientSec – Data Type: REG_DWORD – Value: 20080030 – Value Name:NtlmMinServerSec – Data Type: REG_DWORD – Value: 20080030 11 NTLM v2 Registry setting - DCs • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control – Value Name: LMCompatibilityLevel – Data Type: REG_DWORD – Value: 5 • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\LS A\MSV1_0 – Value Name:NtlmMinClientSec – Data Type: REG_DWORD – Value: 20080030 – Value Name:NtlmMinServerSec – Data Type: REG_DWORD – Value: 20080030 12 NTLM Security Service Provider (SSP) • NtlmMinClientSec and NtlmMinServerSec • • • • • 0x000000100x000000200x000800000x200000000x80000000- Message integrity Message confidentiality NTLM 2 session security 128-bit encryption 56-bit encryption Total: 20080030 13 Consideration of using NTLM2 • During the installation of new clients, they can not join the domain because they are still in the Service Pack 1 • If you are using the Wipe & Load installation and source of setup files are in the domain, DOS client can not connect to the source files. 14 NTLM v2 Testing Results • All DCs LMCompatibility Level 5 (Accepts NTLM v2 only) • All Clients (Win 9x, NT 4.0 SP6a, Win2K) with LMCompatibility Level 3 • Results: – Win 9x: authenticated and access all servers – NT 4.0: authenticated and access all servers – Win2K: authenticated but can not access any servers 15 NTLM v2 Testing Results (cont.) DC Level Win2K Level Results 0 0 0, 1, 2 3 Auth. to DC & access to svrs Auth. to DC & No access to svrs 4 4 0, 1, 2 3 Auth. to DC & access to svrs Auth. to DC & No access to svrs 5 5 0, 2 1, 3 No Auth. Auth. to DC & No access to svrs 16 Summary • If you are using NT 4.0 Domain controllers with mix of Windows (9x, NT and Win2K) machines, you can not use pure NTLM v2. – Microsoft is aware of this problem and working on patches (NTBUGTRAQ report on 9/29/00) • In Windows NT 4.0 Domain (levels that work) – All DCs, LMCompatibilityLevel 4 – All Win 9x and NT, LMCompatibilityLevel 3 – All Win2K , LMCompatibilityLevel 2 17 Point to ponder • When all clients are in LMCompatibilityLevel 3 (NTLM v2): – – – – NT to NT: authenticated 9x to NT: authenticated NT to Win2K: authenticated Win2K to NT: No access – NetApp File Server Version 5.36R1P1 (Vendor said their product can not talk NTLM v2) but NT and 9x with Level 3 can gain access when Win2k can not. • Now, whose bug is it? Is it a NT or Win2K bug? 18 Conclusion • Security is one of the top priorities in any Computing environment. We need to do whatever we can do to make our environment more secure. • If you are in mixed environment like Jefferson Lab, the least you should do is get rid of LanMan Hash until Microsoft solves Win2K with NTLM v2 problem. 19