1 / 19

LM/NTLMv1 Retirement

LM/NTLMv1 Retirement. Hosted by LSP Services. What is LM. LM stands for LAN Manager Used by Windows 95, 98 ME, NT and is now considered to be a legacy protocol LM is an authentication protocol that uses a particularly weak method of hashing a user's password known as the LM hash algorithm.

nickys
Télécharger la présentation

LM/NTLMv1 Retirement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LM/NTLMv1 Retirement Hosted by LSP Services

  2. What is LM • LM stands for LAN Manager • Used by Windows 95, 98 ME, NT and is now considered to be a legacy protocol • LM is an authentication protocol that uses a particularly weak method of hashing a user's password known as the LM hash algorithm

  3. What is NTLMv1 • Abbreviation for “Windows NT LAN Manager” • NTLM uses a challenge-response mechanism for authentication • Clients are able to prove their identities without sending a password to the server.

  4. Retire Support for LM/NTLMv1 • UITS will retire support for both LAN Manager (LM) and NT LAN Manager Version 1 (NTLMv1) authentication protocols by May 22, 2006. • After these protocols are disabled, the only authentication protocols accepted by the ADS Domain Controllers will be NTLMv2 and Kerberos. • The protocols will not be blocked on the network

  5. Why Retire LM and NTLMv1 Recent improvements in computer hardware and software algorithms have made both LM and NTLMv1 protocols vulnerable to widely published attacks for obtaining user passwords • RainbowCrack • John the Ripper • Proactive Password Explorer • SAMInside

  6. How will the Change be Implemented • Two Policies will need to set the LM compatibility level to “NTLMv2 response only\refuse LM and NTLM” (Level 5). • The first policy to change will be the Default Domain policy. On May 15th, 2006, the project team will set the LM compatibility level to “NTLMv2 response only\refuse LM and NTLM” (Level 5). This will change the default security setting on all Windows workstations and servers in the ADS domain that receive the Default Domain policy. • One week later, on May 22, 2006, the Default Domain ControllerPolicy will be set to "NTLMv2 response only\refuse LM and NTLM” (Level 5). This means that only NTLMv2 authentication will be allowed in our domain. This will effectively disable LM/NTLMv1 use by Windows systems connected to the ADS domain.

  7. LM Compatibility Level

  8. When do you use NTLM • Creating a new Outlook Profile • Accessing a resource on an Active Directory domain member using an IP address rather than a host name • Accessing a resource on a windows computer that is not a member of an Active Directory domain • Accessing any resource on a Windows-based computer from a computer running Windows 9x or Windows NT 4.0 • Accessing any resource on a Windows-based computer from third-party operating system or application that does not support Kerberos

  9. Other Common Authentication Methods • Basic Authentication • Webpage Authentication (over SSL) • Entourage • Kerberos Authentication • CAS • Webmail • Windows Domain Logon (IU.EDU) • File Shares (SMB) using DNS Host Name • Outlook 2003 to Exchange 2003

  10. Known Issues • Local machine account access could fail after May 15th • Understanding how Outlook works with NTLMv2 • Unattended Setup of XP will fail to join the domain if SP2 is not slipstreamed • A user is not successfully authenticated when NTLMv2 authentication is used on a Windows Server 2003-based IAS server • Windows machines that do not receive the default domain policy may not be able to access resources that require NTLMv2 authentication • OS X version 10.3 does not support NTLMv2 • Windows 9x/Me computers will be unable to authenticate to the ADS domain • Outlook 2001 does not support NTLMv2 and will no longer be usable • Clustered computers running versions of Windows prior to Windows Server 2003 Service Pack 1 will break • Windows NT 4.0 and support status • Versions of Samba prior to 3.0.21 will not support NTLMv2

  11. Understanding How Outlook Works with NTLMv2 • How Will Outlook 2001 be Affected by This Change? • Outlook 2001 will no longer be useable • Use Entourage as a replacement • Basic Authentication over SSL • Use Outlook Web Access • Basic Authentication over SSL

  12. Understanding How Outlook Works with NTLMv2 • How will Outlook XP/2002 and 2003 be Affected by this Change?

  13. OS X version 10.3 does not support NTLMv2 • Used to access SMB Shares and more • Can force OS X to use Kerberos when authenticating to an SMB share see document: http://kb.iu.edu/data/atse.html • Microsoft User Authentication Module (UAM) 10.1 will support NTLMv2

  14. Local Machine Account • Local machine account access could fail after May 15th • Change the LM Compatibility level on the client machine • How can I use the local security settings to force NTLMv2? • Change the LM Compatibility level on the client server • How can I use a GPO to force NTLMv2? • How do I override settings in the Default Domain Policy for my OU?

  15. IUB and IUPUI VPN Access • Client Machines us MSCHAPv2 to communicate to the VPN server • The VPN Server communicates using NTLMv2 to a ADS Domain Controller • Note MSCHAP does break in a NTLMv2 only Environment

  16. Who Could be Affected by this Change • Machines that are not part of the ADS domain will not receive the Default Domain Policy and will not have their LM Compatibility Level set to 5. This includes home and laptop computers. • Machines located in an OU that is blocking the Default Domain Policy will not have their LM Compatibility Level set to 5. • Third-party operating system or application

  17. IU Windows Authentication Update • The IU Windows Authentication Update will configure your Windows 2000 (or higher) computer to disable insecure LM (LanManager) and NTLMv1 authentication protocols • IUWare does use CAS for Authentication

  18. Request a Testing OU • UITS Messaging has set up a test domain (mssgtest.iu.edu) with both LM and NTLMv1 protocols disabled • We strongly encourage you to leverage this domain to test how your applications and services will behave in an NTLMv2 only environment

  19. Thank You! Questions? Conatact Info: lsps@iu.edu More Information: https://lsps.iu.edu

More Related