|
|
|
|
|
|
by peterwwillis
5706 days ago
|
|
|
Yes, the article I point to is concerning LM hashes, but NTLM hashes are almost as bad - and you can stop using them. This URL shows you how to force NTLMv2: http://windows-secure.net/O.Reilly-Securing.Windows.Serv/059... The idea is to try to force Kerberos authentication only. I can't find any tips on forcing it explicitly (even through group policies) but perhaps there's a firewall method to disable any [NT]LM auth and only allow Kerberos auth. I think some specific services may only allow NTLM (such as Telnet) and some services (such as IIS) may have to explicitly be configured to use Kerberos. (edit) I should mention that I am not an expert on configuring Windows domains or their authentication (obviously) but according to some random guy I asked in IRC, if the SPN is set on a calling ID for a given service, Kerberos will always be used (or attempted anyway) and enabling TCP instead of UDP for the communication may help it get through firewalls etc (and solve some other login-related problems with UDP attempts). However, I think NTLM is the only one that can get through all manner of proxies, firewalls, etc (for IIS for example). |
|
|