How can you tell if NTLM or NTLMv2 is used to authenticate?
Jonas Back
Controllers running Windows 2003. Since we're running all Win2000/2003
servers and WinXP clients it should be possible. But we cannot just deny it
and see if it works since some applications/servers may fail. We suspect that
some of our Linux developers use LM and/or NTLMv1 to authenticate and want to
make sure they don't before we switch it off.
My question is. How can I tell if NTLM or NTLMv2 is used? See below for what
we see in our DC:s event log. On "Authentication Package" it says NTLM, but
does it say NTLMv2 if it's really NTLMv2? Do I need to sniff the network with
for example Etherreal to see which one is used?
Also, is there any MANUAL tool out there that enables you, manually, to TEST
authentication against a server and decide if you want to us LM, NTLM or
NTLMv2 (and maybe even Kerberos) to authenticate to the server/domain?
I look at the Security Logs on our DC:s and notice that almost all users are
authenticated using Kerberos:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 11/30/2004
Time: 4:31:04 PM
User: PPM\user1
Computer: DC1
Description:
Successful Network Logon:
User Name: user1
Domain: PPM
Logon ID: (0x3,0xAC1546BD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {e3bfac7a-7b77-af09-0115-54bf60c322c9}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.10
Source Port: 3254
But we also see some authenticating using NTLM. But is it NTLMv1 or v2?
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 11/30/2004
Time: 4:02:30 PM
User: PPM\user2
Computer: DC1
Description:
Successful Network Logon:
User Name: user2
Domain: PPM
Logon ID: (0x3,0xAC05311A)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PC0022
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.12
Source Port: 0
Jeff Qiu [MSFT]
Thanks for posting here!
There is a policy for this stuff.
Computer Configuration
-Windows Settings
--Security Settings
---Local Policies
----Security Options
Network security:LAN Manager authentication level
You may choose to "Send NTLMv2 response only\refuse LM & NTLM"
If you want to apply this to a domain, configure it at the default domain
controller policy.
Or you may configure it to your whole domain as well.
The Kerberos is the default mode and cannot be disabled and thus no need to
configure to allow it.
Hope it helps.
Have a great day!
Best Regards,
Jeff Qiu
Microsoft Online Partner Support
MCSE 2k/2k3, MCSA 2k/2k3, MCDBA
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: How can you tell if NTLM or NTLMv2 is used to authenticate?
>From: "=?Utf-8?B?Sm9uYXMgQmFjaw==?=" <jona...@noway.com>
>Subject: How can you tell if NTLM or NTLMv2 is used to authenticate?
>Date: Wed, 1 Dec 2004 03:29:02 -0800
>microsoft.public.windows.server.active_directory
Jonas Back
Thanks for your answer. I know about that policy, that is the one I want to
set to "Send NTLMv2 response only\refuse LM & NTLM".
But TODAY we have it set to: "Send LM & NTLM - user NTLMv2 session security
if negotiated". And before I change that polcy I want to make sure no clients
are using LM or NTLM to authenticate because if I refuse LM or NTLM without
making sure no application in our network uses that - those applications will
BREAK. Those applications could be applications running on Unix/Linux using
SAMBA to authenticate etc.
So, how can I see if someone on our network is authenticating using LM or
NTLM before refusing it?
Hope this clears out the actual quetsion. Thanks!
/ Jonas Back, Sweden
Jeff Qiu [MSFT]
Thank you for your update.
I understand that you want to tell if your application is using NTLM or
NTLMv2 to authenticate.
I believe a first directly way is to apply that policy with "Send NTLMv2
response only\refuse LM & NTLM" and these applications who use NTLM will
show up.
A second way is to directly ask the manufacture of those applications to
tell if they are using NTLM or NTLMv2.
The third way is to use netmon to capture the packets if possible since
most of the authentication are using Kerberos. Large netmon cap may be
created before we can found something out of it.
You may make up your own choice among the above three to get the problem
addressed.
Hope it helps.
Best Regards,
Jeff Qiu
Microsoft Online Partner Support
MCSE 2k/2k3, MCSA 2k/2k3, MCDBA
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: How can you tell if NTLM or NTLMv2 is used to authenticate?
>From: "=?Utf-8?B?Sm9uYXMgQmFjaw==?=" <jona...@noway.com>
>Subject: RE: How can you tell if NTLM or NTLMv2 is used to authenticate?
>Date: Thu, 2 Dec 2004 00:49:03 -0800
>microsoft.public.windows.server.active_directory
Kok@discussions.microsoft.com Janwillem Kok
This topic is from a while ago now, so I hope you see this post. I am facing
the same challenge, have you found a method to trace the lm/ntlm usage?
Kind regards,
Janwillem Kok
Jonas Back
I just saw your response and nw there's a function to get an email when
someone replies to your post so hopefully you'll see this.
I haven't found any way to check this yet except for sniffing the packets
to/from the DCs. I haven't tried this yet.
Let me know if you have any more ideas.
Janwillem Kok
After a lot of investigation, my conclusion is that the only way to
distinghuish is by sniffing. This remains strange because the DC is able to
tell the difference right:)?
Here are some interesting details that might be of interest:
When I investigate a network trace using network monitor the
CaseInSensitivePassword field shows up as 'password length', Etherreal calls
it 'Ansi password length". The CaseSensitive field is in both cases called
'Unicode password length'. The different protocols show up perfectly:
Osses tried: W 3.11 W95 NT4> (LMCompatibilitylevel 0) NT4
LMCompatibilitylevel 3)
Password length 24 24 24
24
Unicode PW length NA NA 24
96
LM LM NTLMv1
NTLMv2
By running a continuous capture using a capture filter on these fields, you
should be able to get an idea on the current usage. For example if both
fields show up and both have the lenght 24, the protocol used is Ntlm v1. If
only the Password length field shows up, LM is used.
When disabling the LM/NTLMv1 protocols beware of the following:
- Radius and MOM clients still use ntlm v1, rumour is that mschap is too.
- When a DC is disabled for the protocols and receives an lm/ntlmv1
authentication request, it treats it like a badd password and therfore tries
to contact the PDC emulator (this is normal behaviour when a user enters a
bad paasword).
Janwillem
Jonas Back
Very interesting indeed. I've just set up our new lab and will try to get
this tested within a few days. We don't use MOM nor RADIUS so hopefully I'll
find just a few applications sitll using LM/NTLMv1. The problem is that we
use a lot of Linux and they want to authenticate to our Active Directory.
Luckily I got Kerberos working for our Linux dist a few days ago - eventhough
I'm a hardcore Windows fan ;)
Do you work a lot with securing Windows and Active Directory? Then it would
be nice to stay in contact because securing Windows more than the ordinary
standard settings doesn't seem to be that commong. If you like the idea to
stay in contact, just drop me an email at jonas.back(at)home.se and tell me
what you're working with right now and I'll do the same.. maybe we'll have
some thoughts and ideas to exchange.
Otherwise, I'll keep you posted here in the forum.