| Author | Messages | |
MThommes
Posts:106
 | | 01/09/2009 8:07 AM |
| Hi Susan,
Would you have any idea why the W2K8 default is only level 3 "Send NTLMv2 authentication only" and not Level 5 "DC refuses LM and NTLM authentication (accepts only NTLMv2)? It seems to me anyone running a W2K8 domain has long ago gotten rid of any pre-NT4/SP4 clients. Any thoughts are appreciated. Thanks.
Mike Thommes
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Friday, January 09, 2009 1:48 AM
To: ActiveDir@mail.activedir.org
Subject: Re: {Fraud?} {Disarmed} RE: [ActiveDir] RODC and computer accounts that are allowed to have their creds replicated.
"NTLMv1 is vulnerable to sniff-an-crack attacks
NTLMv2 is not vulnerable"
http://support.microsoft.com/kb/823659
LAN Manager (LM) authentication is the protocol that is used to authenticate Windows clients for network operations, including domain joins, accessing network resources, and user or computer authentication. The LM authentication level determines which challenge/response authentication protocol is negotiated between the client and the server computers. Specifically, the LM authentication level determines which authentication protocols that the client will try to negotiate or that the server will accept. The value that is set for LmCompatibilityLevel determines which challenge/response authentication protocol is used for network logons. This value affects the level of authentication protocol that clients use, the level of session security negotiated, and the level of authentication accepted by servers, according to the following table.
Get rid of those pesky older OSs would be a good start. :-)
It looks like 2k8 is default Network Security: Lan Manager authentication level: Send NTLM v2 response only
Gabriele Scolaro wrote:
Brrrr I recall Marcus Murray session was one of those who really shocked me!
TechNet Webcast: Why I Can Hack Your Network in a Day! [A live demonstration of techniques and tools used by hackers to compromise your network] (Level 300) (ID:1032340737)
http://www.microsoft.com/events/series/detail/webcastdetails.aspx?seriesid=96&webcastid=2783
http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032340737&EventCategory=3&culture=en-US&CountryCode=US
Before that, I was _ingenuously_ recommending my DAs colleagues to use runas to manage AD from their workstation.... :-(
is there any countermeasure to address or at least mitigate that security issue?
what's the recommended way to manage AD? (e.g. a dedicated hardened VM to connect to via secure RDP)
Thanks - (yet afraid and worried) Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: lunedì 5 gennaio 2009 22.02
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RODC and computer accounts that are allowed to have their creds replicated.
I think Jorge's point is that cracking is unnecessary.
Hash injection Attacks in a Windows Network
aka
Why an exposed LM/NTLM Hash is comparable to a clear-text password
aka
Why a 127 character long password is not necessarily stronger than a 4 character long password
aka
Why generating LM/NTLM rainbow tables is a complete waste of time
aka
Passing-the-hash for direct authentication to remote systems
aka
Why one vulnerable system can compromise the entire Active directory forest
aka
One of the scariest Windows authentication hacks you ever saw.......
http://truesecurity.se/blogs/murray/archive/2007/03/16/why-an-exposed-lm-ntlm-hash-is-comparable-to-a-clear-text-password.aspx
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B. Smith
Sent: Monday, January 05, 2009 2:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RODC and computer accounts that are allowed to have their creds replicated.
It's certainly possible to crack the hash with rainbow tables. My 64 GB tables get more than 99% of passwords.
Regards,
Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
My blog: http://TheEssentialExchange.com/blogs/michael
I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: Monday, January 05, 2009 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RODC and computer accounts that are allowed to have their creds replicated.
Did you know it is possible to misuse an AD account when having: the logon name and the password hash? (I do not care about the actual password)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux
*: +31 (0)6 26.26.62.80 | *: +31 (0)70 36.21.045 | 7: +31 (0)70 36.21.677
*: Sweelinckplein 9 - 11 (unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps <http://maps.google.com/maps?f=q&hl=EN&geocode=&q=sweelinckplein+9+-+11+%28unit+11%29,+2517+GK,+Den+Haag,+The+Netherlands&sll=37.0625,-95.677068&sspn=50.291089,113.90625&ie=UTF8&z=16&g=sweelinckplein+9+-+11+%28unit+11%29,+2517+GK,+Den+Haag,+The+Netherlands> ) (Live Maps <http://maps.live.com/default.aspx?v=2&FORM=LMLTCC&cp=52.084005%7E4.285932&style=r&lvl=14&tilt=-90&dir=0&alt=-1000&phx=0&phy=0&phscl=1&where1=Sweelinckplein%209%20-%2011%20%28unit%2011%29%2C%202517%20GK%2C%20Den%20Haag%2C%20The%20Netherlands&encType=1> )
MailScanner ha rilevato un possibile tentativo di frode proveniente da "blocked::http:" www.oxfordcomputergroup.com <blocked::blocked::http://www.oxfordcomputergroup.com/> | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
________________________________________________________________
MVP Profile --> https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site --> https://mvp.support.microsoft.com/
MVP Overview --> https://mvp.support.microsoft.com/mvpexecsum
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Monday, January 05, 2009 20:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RODC and computer accounts that are allowed to have their creds replicated.
Appreciate everyone's answers.
member: CN=Domain Controllers,CN=Users,DC=trouble,DC=loc
 . OK, so the Domain Controller's password will not be replicated to the RODC. Should have looked before asking.
The specific risk is that the password of all computer accounts is still distributed on all RODCs. I would still use the specific allow group for a particular RODC and automate the group membership in some way using scripts or your IdAM solution (e.g. ILM) if you already have such.
IdAM is only managing user accounts not computer accounts. So I guess the question should have been formulated as:
How much of a risk at this time is if the passwords of the member computers are replicated to the RODCs?
Computer passwords should be fairly strong and NTLM hash storage is disabled by the policy (IIRC they are longer then 14 char and not stored anyway).
So how much of a risk it really is?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
From:
joe <listmail@joeware.net> <mailto:listmail@joeware.net>
To:
ActiveDir@mail.activedir.org
Date:
01/02/2009 03:11 PM
Subject:
RE: [ActiveDir] RODC and computer accounts that are allowed to have their creds replicated.
Sent by:
ActiveDir-owner@mail.activedir.org
________________________________
Here is the round about answer to your second question.
dn:CN=Denied RODC Password Replication Group,CN=Users,DC=trouble,DC=loc
>member: CN=Read-only Domain Controllers,CN=Users,DC=trouble,DC=loc
>member: CN=Group Policy Creator Owners,CN=Users,DC=trouble,DC=loc
>member: CN=Domain Admins,CN=Users,DC=trouble,DC=loc
>member: CN=Cert Publishers,CN=Users,DC=trouble,DC=loc
>member: CN=Enterprise Admins,CN=Users,DC=trouble,DC=loc
>member: CN=Schema Admins,CN=Users,DC=trouble,DC=loc
>member: CN=Domain Controllers,CN=Users,DC=trouble,DC=loc
>member: CN=krbtgt,CN=Users,DC=trouble,DC=loc
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Friday, January 02, 2009 3:36 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] RODC and computer accounts that are allowed to have their creds replicated.
We are planning to deploy RODCs to the regional offices. We have a relatively painless way to automatically populate the groups that allow "caching" the creds with the user accounts for each RODC. Computer accounts present more of a challenge. One of the thoughts is to just put domain computers group into the "Allowed RODC Password Replication" Group.
What are the specific risks we would be incurring in that scenario?
Is there a scenario where another DC (RO or RW) would auth to a particular RODC and in doing so cause to have its password replicated to an RODC?
How did other people that deployed RODCs dealt with this issue.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
________________________________
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
________________________________
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
__________ Information from ESET Smart Security, version of virus signature database 3739 (20090105) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 3739 (20090105) __________
The message was checked by ESET Smart Security.
http://www.eset.com
| | | |
|
|