Maung²'s Technical Adventures

Recent Posts

Tags

News

  • Microsoft Most Valuable Professional
    (Visual Developer - Security)

    Microsoft Certified Trainer

    Microsoft Certified Professional Developer
    (Enterprise Application Developer)

    Microsoft Certified Solution Developer (.NET)

    Microsoft Certified System Engineer
    (Windows NT 4.0/2000)

    Microsoft Certified Technology Specialist

    - Web Application Development
    - Windows Application Development
    - SharePoint 2003: Infrastructure
    - XML: Office 2003
    - TFS: Configuration and Development

    Certified Novell Administrator
    (Novell Netware 4.11)

Community

Email Notifications

Archives

Windows Vista Harden Security (Part 3)

Various Microsoft Windows Operating Systems support varieties of network authentication protocols, such as LM (LAN Manager), NTLM, NTLMv2 and Kerberos.  The obvious thing is that the older OS won’t be able to use the newer and more secure authentication protocols such as NTLMv2 and Kerberos, unless they are upgraded with service packs, or patches (only if made available by Microsoft) to support the newer technologies.

The less obvious issue is that the newer operating system, especially Windows Vista, which we expect to be backward compatible with all the older and less secure authentication protocols, such as LM and NTLM.  But that wasn’t the case with Windows Vista because Microsoft has decided to disable those protocols, by default, in view of reducing attack surface area in this release of Windows.  Well, that’s expected as Microsoft is putting all the security best practices in place in their product development lifecycle.

So what is the problem?  If you have any system or device, such as old Network Attached Storage (NAS) device, Macintosh, or Samba, that does not support NTLMv2, you cannot access to those file shares using Windows Vista, where you were able to do so in Windows XP.

The solution is fairly simple.  We just need to configure Windows Vista local security policy to accept/response to LM and NTLM challenge.  The default LAN Manager Authentication level in Windows XP is “Send LM & NTLM responses” but in Windows Vista, it has been defaulted to “Send NTMLv2 response only”, thus, denying access to the systems that do not support NTLMv2 authentication challenge.  Follow the below steps to configure Windows Vista Local Security Policy to response to LM and NTLM.

  1. Go to Start Menu, and type secpol.msc in the Start Search and press <ENTER>.
    There might be an UAC elevation prompt.  Just allow the action and proceed with the next step.
  2. Under Security Settings in Local Security Policy Editor, expand Local Policies, select Security Options.
  3. In the right pane, double-click on the setting “Network Security: LAN Manager authentication level
  4. Set its value to “Send NTLM response only” or even lower if necessary (at your own discretion).
  5. Click OK and run gpupdate command to refresh the new configured security policy.

After the refresh, you should be able to connect to your NAS devices, Mac OS or Samba share folders with no difficulty.

Here is an alternative solution to those who can't get their hands on secpol.msc (Vista Home Basic/Premium users), but this solution involves risk as you will need to edit registry value directly.

  1. Launch "Registry Editor" (regedit.exe)
  2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
  3. Create DWORD registry value and name it "LMCompatibilityLevel"
  4. Set its value to 2 (Send NTML response only) or lower 1/0 (again at your own discretion)
  5. Quit the Registry Editor

More information on LMCompatibilityLevel values, check out the below links.

http://support.microsoft.com/kb/239869

http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/

Posted: Mar 30 2007, 11:52 AM by MaungMaung | with no comments
Filed under: , , ,