resources and events that can help you keep your security knowledge
and skills up to date and keep your Windows and other systems secure.
=== SECURITY Q&A ===============================================
by Randy Franklin Smith, rsmith@ultimatewindowssecurity.com
Q: How important is it to configure servers to use NTLMv2 for
authentication?
A: Configuring servers to use NTLMv2 is of medium to high importance,
depending on your environment. Windows uses the Kerberos authentication
protocol by default. However, Windows uses NT LAN Manager (NTLM) or
NTLMv2 when Kerberos isn't available, which can be the case if you have
users that use local accounts instead of domain accounts, log on to
computers outside your domain, or use an OS that doesn't support
Kerberos.
NTLMv2 provides better protection than NTLM by making it more difficult
to crack any challenge and response data gleaned from authentication
packets traveling over the network. To capture those packets, an
attacker has to trick the network switch into forwarding packets to his
or her computer, which requires either physical access to the network
or remote control of a computer on the network. Sniffing packets on a
modern, fully switched network is more difficult than on older, hub-
based networks. For an attacker who successfully captures
authentication traffic, cracking NTLMv2 challenge/response pairs is
more difficult than cracking NTLM. However, weak passwords are easily
cracked no matter what protocol you use--even Kerberos.
To force systems to use NTLMv2 rather than NTLM and reject any computer
that attempts lower-level authentication, you can open Group Policy
Management Console (GPMC), select a Group Policy Object (GPO) that's
applied to all the computers on your network, navigate to Computer
Configuration\Windows\Settings\Security Settings\Local
Policies\Security Options, and set the "Network security: LAN Manager
authentication level" field to "Send NTLMv2 response only/refuse LM &
NTLM."
(This Security Q&A originally appeared in Security Pro VIP's
Access Denied column.)
=== SECURITY RESOURCES =========================================
The following security-related resources are brought to you by Windows
IT Pro. For additional resources and information, visit
http://list.windowsitpro.com/t?ctl=652BC:4160B336D0B60CB1E9572BE68FA603A6
Learn to gather evidence of compliance across multiple systems, and
link the data to regulatory and framework control objectives. On-Demand
Web Seminar
http://list.windowsitpro.com/t?ctl=652B4:4160B336D0B60CB1E9572BE68FA603A6
Learn to differentiate between alternative solutions to disaster
recovery for your Windows-based applications, and to ensure seamless
recovery of your key systems--whether a disaster strikes just one
server or the whole site. On-Demand Web Seminar
http://list.windowsitpro.com/t?ctl=652B5:4160B336D0B60CB1E9572BE68FA603A6
Learn the best ways to manage your email security (and fight spam)
using a variety of solutions and tips.
http://list.windowsitpro.com/t?ctl=652B6:4160B336D0B60CB1E9572BE68FA603A6
================================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://list.windowsitpro.com/t?ctl=652B9:4160B336D0B60CB1E9572BE68FA603A6
http://list.windowsitpro.com/t?ctl=652BB:4160B336D0B60CB1E9572BE68FA603A6
Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=652B8:4160B336D0B60CB1E9572BE68FA603A6
Unsubscribe by clicking
http://list.windowsitpro.com/u?id=4160B336D0B60CB1E9572BE68FA603A6
Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=652BA:4160B336D0B60CB1E9572BE68FA603A6
About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com
View the Windows IT Pro privacy policy at
http://list.windowsitpro.com/t?ctl=652B7:4160B336D0B60CB1E9572BE68FA603A6
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
No comments:
Post a Comment