2

My scenario is that I have a website set up via IIS in Windows Server 2012 R2 Standard using Windows Authentication which has been detected as vulnerable to an NTLMv1 attack and so I am looking to disable this and allow NTLMv2 only.

From my research on this topic and found a lot of helpful information such as "Anonymous Logon" vs "NTLM V1" What to disable? and https://markgamache.blogspot.co.nz/2013/01/ntlm-challenge-response-is-100-broken.html

From these links and others like them, the only answer that is typically given is to have a registry value under HKLM\SYSTEM\CurrentControlSet\Control\Lsa named LmCompatibilityLevel and adjust it. I have tried setting this to the value 5 which is Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

However, when I do this it appears I am still able to connect to the website successfully using my Windows credentials from another server that I have set up to have LmCompatibilityLevel set to 0 which is supposed to only use/allow LM/NTLM.

The way I have detected that it is using NTLMv1 authentication is via the Windows Security Logs.

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   NTLM V1
    Key Length:     128

When I set the registry value to 3 or higher on the client server prior to connection, the Package Name value becomes NTLM V2.

I have also changed the Local and Group Security Policy Network security: LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM but I understand from my testing that these are essentially different interfaces for the same setting.

Has anyone experienced this or know if there's a different setting I'm missing that I need to change?

Calvin N
  • 21
  • 1
  • 1
  • 3

3 Answers3

1

From my experience, I've faced this because of setting ntlm.auth.domain with incorrect domain name, when configuring NTLMv2 (Configured an authentication in 2008 R2).

Found the solution in @Silvio Meier post (2. pitfall), which describes an issue better: https://web.liferay.com/community/forums/-/message_boards/message/57355858

Strepsils
  • 4,817
  • 9
  • 14
0

3 sends only NTLMv2, but it accepts LM, NTLMv1, and NTLMv2. https://technet.microsoft.com/en-us/library/2006.08.securitywatch.aspx

markgamache
  • 195
  • 4
  • This is a good point. I have adjusted my question so it reflects my problem more accurately. Thanks for the link, I think the tables in it are clear and easy to understand. This sort of setting is new to me and it looks like I have a lot to learn. – Calvin N Dec 22 '16 at 21:06
0

In case someone else has the same problem in the future, it looks like this setting was being overwritten by a Domain Controller setting that was lower. When setting the Domain Controller to level 5 (Send NTLMv2 response only. Refuse LM & NTLM), then it refuses NTLM v1 connections.

If we edited the registry and restarted the computer, the setting was also overwritten by the restart, so only editing the Domain Controller settings was able to achieve the required result of refusing NTLMv1 connections.

Calvin N
  • 21
  • 1
  • 1
  • 3