|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
This Describes how to change NTLM settings so that Master-Agents can communicate with Leaf-Agents, as in "querying" a Leaf-Agent machine, particularly in a hardened environment.
If you can see a leaf agent icon (head) but querying the leaf agent machine fails, it may be an NTLM protocol mismatch. For example, the Master-Agent sends LM and NTLM packets, and the Leaf only accepts NTLMv2 packets. You need to get Master to send NTLMv2, or make the Leaf-Agent machine accept regular LM/NTLM. In a hardened environment, you'll probably want to get Master to handle NTLMv2.
Change the Master-Agent to include NTLMv2, or change the Leaf-Agent machine to allow for LM/NTLM traffic, using the "local security settings" on the machine.
Go to "Start | Settings | Control Panel | Administrative Tools | Local Security Settings".
Select "Security Options" and open "Lan Manager Authentication Level" (shown below)
Pick an appropriate authentication match for your Master/Leaf combination.
Remedy 2 is same as Remedy 1 above, using registry edits, rather than the GUI.
Launch regedit or regedt32
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Double-click on "lmcompatibilitylevel" and enter a digit for the appropriate service type. Authentication strength increases as you go from LM to NTLM to NTLMv2 … see usage notes below.
0 = use LM or NTLM1 only
1 = use NTLM2 if negotiated
2 = use NTLM1 only
3 = use NTLM2 only
4 = Domain Controller refuses LM Authentication
5 = Domain Controller only accepts NTLM2 (refuses LM and NTLM)
If option 3 selected then also set the following key value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Set REG_DWORD item "NtlmMinServerSec"=0x00080000
This means "NTLMv2 session security" at a minimum …; it's the 3rd of 4 levels of increasing security for NTLMv2.
LM authentication is not as strong as NTLM or NTLMv2 because the algorithm allows passwords longer than 7 characters to be attacked in 7 character chunks. This limits the effective password strength to 7 characters drawn from the set of uppercase alphabetic, numeric, and punctuation characters, plus 32 special ALT characters. Users often do not even avail themselves of anything more than alphabetic characters.
In contrast, NTLM authentication takes advantage of all 14 characters in the password and allows lowercase letters. Thus, even though an attacker eavesdropping on the Windows NT authentication protocol can attack it in the same way as the LM authentication protocol, it will take far longer for the attack to succeed.
For NTLMv2, the key space for password-derived keys is 128 bits. This makes a brute force search infeasible, even with hardware accelerators, if the password is strong enough.
For more information, go to http://support.microsoft.com/ and perform a knowledgebase search on "NTLM".
