| Author | Messages | |
florian
Posts:87
 | | 01/09/2009 9:02 AM |
| Mike,
I guess the client part is the reason why LM and NTLM are still accepted.
Although NT4 BDCs have been gone in a 2008-domain, NT4 clients may not. We
have customers on Server 2003 looking at Server 2008 now running legacy CAD
apps or applications controlling plants that are on NT4 that cant be
updated. Legacy support is, I guess, still the reason the setting has this
standard config.
No one stops you from changing it away from the default in your corp net and
your implementation, though.
Cheers,
Florian
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Thommes, Michael M.
Sent: Freitag, 9. Januar 2009 14:03
To: ActiveDir@mail.activedir.org
Subject: RE: {Fraud?} {Disarmed} RE: [ActiveDir] RODC and computer accounts
that are allowed to have their creds replicated.
Hi Susan,
Would you have any idea why the W2K8 default is only level 3 Send
NTLMv2 authentication only and not Level 5 DC refuses LM and NTLM
authentication (accepts only NTLMv2)? It seems to me anyone running a W2K8
domain has long ago gotten rid of any pre-NT4/SP4 clients. Any thoughts are
appreciated. Thanks.
Mike Thommes
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Friday, January 09, 2009 1:48 AM
To: ActiveDir@mail.activedir.org
Subject: Re: {Fraud?} {Disarmed} RE: [ActiveDir] RODC and computer accounts
that are allowed to have their creds replicated.
"NTLMv1 is vulnerable to sniff-an-crack attacks
NTLMv2 is not vulnerable"
http://support.microsoft.com/kb/823659
LAN Manager (LM) authentication is the protocol that is used to authenticate
Windows clients for network operations, including domain joins, accessing
network resources, and user or computer authentication. The LM
authentication level determines which challenge/response authentication
protocol is negotiated between the client and the server computers.
Specifically, the LM authentication level determines which authentication
protocols that the client will try to negotiate or that the server will
accept. The value that is set for LmCompatibilityLevel determines which
challenge/response authentication protocol is used for network logons. This
value affects the level of authentication protocol that clients use, the
level of session security negotiated, and the level of authentication
accepted by servers, according to the following table.
Get rid of those pesky older OSs would be a good start. :-)
It looks like 2k8 is default Network Security: Lan Manager authentication
level: Send NTLM v2 response only
Gabriele Scolaro wrote:
Brrrr I recall Marcus Murray session was one of those who really shocked me!
TechNet Webcast: Why I Can Hack Your Network in a Day! [A live demonstration
of techniques and tools used by hackers to compromise your network] (Level
300) (ID:1032340737)
http://www.microsoft.com/events/series/detail/webcastdetails.aspx?seriesid=9
6
<http://www.microsoft.com/events/series/detail/webcastdetails.aspx?seriesid=
96&webcastid=2783> &webcastid=2783
http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=103234073
7
<http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=10323407
37&EventCategory=3&culture=en-US&CountryCode=US>
&EventCategory=3&culture=en-US&CountryCode=US
Before that, I was _ingenuously_ recommending my DAs colleagues to use runas
to manage AD from their workstation
. :-(
is there any countermeasure to address or at least mitigate that security
issue?
whats the recommended way to manage AD? (e.g. a dedicated hardened VM to
connect to via secure RDP)
Thanks (yet afraid and worried) Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: lunedì 5 gennaio 2009 22.02
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RODC and computer accounts that are allowed to have
their creds replicated.
I think Jorges point is that cracking is unnecessary.
Hash injection Attacks in a Windows Network
aka
Why an exposed LM/NTLM Hash is comparable to a clear-text password
aka
Why a 127 character long password is not necessarily stronger than a 4
character long password
aka
Why generating LM/NTLM rainbow tables is a complete waste of time
aka
Passing-the-hash for direct authentication to remote systems
aka
Why one vulnerable system can compromise the entire Active directory forest
aka
One of the scariest Windows authentication hacks you ever saw.......
http://truesecurity.se/blogs/murray/archive/2007/03/16/why-an-exposed-lm-ntl
m-hash-is-comparable-to-a-clear-text-password.aspx
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B. Smith
Sent: Monday, January 05, 2009 2:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RODC and computer accounts that are allowed to have
their creds replicated.
Its certainly possible to crack the hash with rainbow tables. My 64 GB
tables get more than 99% of passwords.
Regards,
Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
My blog: http://TheEssentialExchange.com/blogs/michael
I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida
Pinto
Sent: Monday, January 05, 2009 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RODC and computer accounts that are allowed to have
their creds replicated.
Did you know it is possible to misuse an AD account when having: the logon
name and the password hash? (I do not care about the actual password)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Technical Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux
(: +31 (0)6 26.26.62.80 | (: +31 (0)70 36.21.045 | 7: +31 (0)70 36.21.677
-: Sweelinckplein 9 - 11 (unit 11), 2517 GK, Den Haag, The Netherlands
(Google
<http://maps.google.com/maps?f=q&hl=EN&geocode=&q=sweelinckplein+9+-+11+%28u
nit+11%29,+2517+GK,+Den+Haag,+The+Netherlands&sll=37.0625,-95.677068&sspn=50
.291089,113.90625&ie=UTF8&z=16&g=sweelinckplein+9+-+11+%28unit+11%29,+2517+G
K,+Den+Haag,+The+Netherlands> Maps) (Live
<http://maps.live.com/default.aspx?v=2&FORM=LMLTCC&cp=52.084005%7E4.285932&s
tyle=r&lvl=14&tilt=-90&dir=0&alt=-1000&phx=0&phy=0&phscl=1&where1=Sweelinckp
lein%209%20-%2011%20%28unit%2011%29%2C%202517%20GK%2C%20Den%20Haag%2C%20The%
20Netherlands&encType=1> Maps)
<blocked::blocked::http://www.oxfordcomputergroup.com/> MailScanner ha
rilevato un possibile tentativo di frode proveniente da "blocked::http:"
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
________________________________________________________________
MVP Profile à https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site à https://mvp.support.microsoft.com/
MVP Overview à https://mvp.support.microsoft.com/mvpexecsum
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Monday, January 05, 2009 20:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RODC and computer accounts that are allowed to have
their creds replicated.
Appreciate everyone's answers.
member: CN=Domain Controllers,CN=Users,DC=trouble,DC=loc
 . OK, so the Domain Controller's password will not be replicated to the
RODC. Should have looked before asking.
The specific risk is that the password of all computer accounts is still
distributed on all RODCs. I would still use the specific allow group for a
particular RODC and automate the group membership in some way using scripts
or your IdAM solution (e.g. ILM) if you already have such.
IdAM is only managing user accounts not computer accounts. So I guess the
question should have been formulated as:
How much of a risk at this time is if the passwords of the member computers
are replicated to the RODCs?
Computer passwords should be fairly strong and NTLM hash storage is disabled
by the policy (IIRC they are longer then 14 char and not stored anyway).
So how much of a risk it really is?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
From:
joe <mailto:listmail@joeware.net> <listmail@joeware.net>
To:
ActiveDir@mail.activedir.org
Date:
01/02/2009 03:11 PM
Subject:
RE: [ActiveDir] RODC and computer accounts that are allowed to have their
creds replicated.
Sent by:
ActiveDir-owner@mail.activedir.org
_____
Here is the round about answer to your second question.
dn:CN=Denied RODC Password Replication Group,CN=Users,DC=trouble,DC=loc
>member: CN=Read-only Domain Controllers,CN=Users,DC=trouble,DC=loc
>member: CN=Group Policy Creator Owners,CN=Users,DC=trouble,DC=loc
>member: CN=Domain Admins,CN=Users,DC=trouble,DC=loc
>member: CN=Cert Publishers,CN=Users,DC=trouble,DC=loc
>member: CN=Enterprise Admins,CN=Users,DC=trouble,DC=loc
>member: CN=Schema Admins,CN=Users,DC=trouble,DC=loc
>member: CN=Domain Controllers,CN=Users,DC=trouble,DC=loc
>member: CN=krbtgt,CN=Users,DC=trouble,DC=loc
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Friday, January 02, 2009 3:36 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] RODC and computer accounts that are allowed to have
their creds replicated.
We are planning to deploy RODCs to the regional offices. We have a
relatively painless way to automatically populate the groups that allow
"caching" the creds with the user accounts for each RODC. Computer
accounts present more of a challenge. One of the thoughts is to just put
domain computers group into the "Allowed RODC Password Replication" Group.
What are the specific risks we would be incurring in that scenario?
Is there a scenario where another DC (RO or RW) would auth to a particular
RODC and in doing so cause to have its password replicated to an RODC?
How did other people that deployed RODCs dealt with this issue.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
_____
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents of
this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are deemed
to have accepted these risks if you communicate with us by e-mail.
_____
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents of
this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are deemed
to have accepted these risks if you communicate with us by e-mail.
__________ Information from ESET Smart Security, version of virus signature
database 3739 (20090105) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature
database 3739 (20090105) __________
The message was checked by ESET Smart Security.
http://www.eset.com
| | | |
|
|