The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

NTLMv2 Security

I am using a new backup app. for Sql Server.

I'm having issues with it and it turns out that the servers taht I have issues with don't have the named pipes protocol enabled (which uses NTLM).

From what I could dig up on the net, Winserver 2k shipped with NTLMv2 which "fixed" the security flaws with NTLM. Furthermore I have found the registry key that enables me to force NTLMv2 and deny any other versions.

Does anyone know whether there are known security issues with NTLMv2?
D in PHX Send private email
Friday, July 07, 2006
 
 
NTLMv2 is really Kerberos under the hood with Microsoft's LDAP/Active directory extensions.

So there are security issues with it if you don't set it up correctly!  Yes, it can be locked down.
~Eric
Monday, July 10, 2006
 
 
No, it isn't. NTLMv2 was introduced in NT 4 SP4, before Active Directory. It is an enhanced version of NTLM, with a 128-bit keyspace and stronger authentication and session management mechanisms.

AFAIK, NTLMv2 is quite strong in single-machine and small workgroup scenarios. The much-publicized "Rainbow crack" can only get at NTLMv2 if some security settings are lowered, and can still take unacceptable amounts of time if good password policies are followed.

Excellent article here:
http://www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx

Do remember though that NTLMv2 is a fallback. The best option is Active Directory and Kerberos.
Raj Chaudhuri Send private email
Tuesday, July 11, 2006
 
 
From your article:

"If the user is authenticating against an Active Directory domain accessing a resource using a host name., the NT hash is used in a Kerberos logon against the Key Distribution Center (KDC, typically the domain controller)."

So, my point above was not to mean the kerberos key exchange was being used but it is the backend security mech.  The OP stated "Winserver 2k" not NT4.
~Eric
Tuesday, July 11, 2006
 
 
Thanks guys.

I found the registry settings (AD group policy) that restricts the server to v2 only.

This will most likely be about politics rather than actual facts.

Thanks!
D in PHX Send private email
Tuesday, July 11, 2006
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz