Does eliminating NetBios kill NTLMv2?

[Jacques Koorts]

Read this in Mark Minasi's articles.

<quote>I guess that's why shutting down NetBIOS made things faster, as
eliminating
NetBIOS kills LM, NTLM, and NTLMv2.</quote>

So if you disable Netbios on your computer, your computer will use Kerberos?
What Osses support Kerberos? Is this all auto?

Here some more from the Article.

<quote> personally think that the LM "hole" is one that Microsoft should
have
plugged a long time ago through their defaults, but they haven't, probably
because so many clients use Wintendo boxes. With hope we'll see LM just a
bad memory soon, though. I urge you to seriously consider rolling out this
change and let me close this by offering an performance incentive to go "all
NTLMv2:" logons are faster. If you've ever read my pieces on how much
faster NET USE commands become when you shut off NetBIOS, then you probably
wondered why they got so much faster. I never knew either, but since
shutting off NTLM and LM, I've noticed much, much snappier response from my
NET USE commands. I still don't know why, but now I've got a guess:
getting rid of NTLM and LM just plain simplified the logon process. As the
clients and servers have fewer options, things just happen more quickly. I
guess that's why shutting down NetBIOS made things faster, as eliminating
NetBIOS kills LM, NTLM, and NTLMv2.</quote>

 

[Miha Pihler]

Windows 2000 or newer operating system from Microsoft will work with
Kerberos.

Windows 95, Windows NT and newer operating system can use NTLM v. 2. which
is more secure then NTLM and much more secure then LM. LM is actually a
legacy from IBM

Another thing about e.g. NetBIOS. It will use broadcasts and it will use
longer period before it will timeout. TCP/IP doesn't use broadcasts. It will
use direct TCP/IP connection to computer and protocol design will allow for
smaller timeout periods. This will make it faster on LAN (e.g. when browsing
for shares, ...)

Mike

 

[Steven L Umbach]

Disabling netbios over tcp/ip does not eliminate downlevel authentication.
You can verify that by disabling it on a domain controller and then using
\\xxx.xxx.xxx.xxx\sysvol to connect to the sysvol share using it's IP
address instead of name and look in the security log of the domain
controller to see the authentication method used. You can control/manage
authentication methods used in the domain with the lan manager
authentication level security option in Domain and Domain Controller
Security Policy. W2K/XP Pro/W2003 domain computers will use kerberos by
default as long as the computer name is used instead of IP address and the
time on the computer is all within the default five minute skew which should
not be a problem with domain computers unless you have one that loses time
very rapidly as domain computers synch their time with the pdc fsmo in their
domain. By default domain computer are configured to use nt/ntlm only which
I would recommend changing to send ntlmv2 responses only unless you have W9X
computers in the domain offering shares to domain users that do not have the
Directory Services Client installed.. --- Steve

 

[Steven L Umbach]

Hmm. I bet you mean dns does not use broadcasts. --- Steve

 

[Miha Pihler]

Hi Steve

Yes, sorry, bad choice of words ...

As always, thanks for the correction

Mike

 

[Steven L Umbach]

Hi Mike.

I knew what you meant, but just wanted to clarify for the sake of those that
might not. I expect you to do the same for me. Your replies to user
questions are highly helpful and appreciated. --- Steve

 

[Roger Abell]

Just adding a couple items to the already stated . . .

There is a (actually not so) subtle confusion in these quotes.

LM/NTLM v1/v2 are authentication mechanisms.

NetBIOS has three aspects, one of which is name/location
services (i.e. get IP knowing NetBIOS name) but none of
which are authentication services.

Shutting off NetBIOS forces uplevel clients to use only
DNS for name resolution (and direct hosting on tcp 445 for
the other aspects of NetBIOS).

In default configs, domain members will try the most strong
allowed authentication first (and it really should work if all
is between uplevel machines). (Note: one should alter the
difficult to understand default policy of client machines to use
Ntlm or Lm, that is, excluding Ntlm v2). Since the strongest,
and first tried should work, there should not be a failover
delay - and there is really no reason to expect this to differ
due to how the location for the authentication attempt has
been determined.

How a machine finds where it will try to authenticate is
impacted by whether or not NetBIOS is enabled. Without it
all efforts are DNS only (i.e. there is no room for delays from
wait/retry states in the NetBIOS based name services - just a
failure when DNS cannot resolve the name).

How a machine accesses such as file share resources can
differ also depending on whether NetBIOS (over Tcp/Ip)) is
enabled - leaving room for another performance difference
to be observed.

 

[Jacques Koorts]

thanks guys,

I knew that sentence could not be right. Mark Minasi probably made a mistake
in that sentence.

I've already last night disabled NETBIOS and set the GPO, to use only NTLMv2

For interest sake, how do i disable NTLMv2 all together and just use
Kerberos?

cheers
jk

 

[Steven L Umbach]

As far as I can tell you can not totally disable ntlmv2. In a well oiled
domain of all W2K and newer operating systems kerberos should always be used
anyhow with the few exceptions I mentioned. Ntlmv2 is a secure
authentication method also and will be needed if you ever configure trusts
with Windows 2000 domains in another forest or for other possible situations
including Remote Access Servers. Since you seem to have no downlevel clients
you might want to consider configuring security policy for lan manager
authentication level to be send ntlmv2 responses\refuse lm so that there is
never a possibility of a computer using lm to authenticate in the domain.
Also consider disabling the storage of lm hashes on at least your domain
controllers. Though domain controllers should be physically secured, it is
easy to do and would delay any password cracking attempts on user accounts
which may be needed to access EFS encrypted files or such. Password cracking
attempts could even be tried remotely on a domain controller if a user
obtained domain admin credentials and had access though Terminal
Services/Remote Desktop. Beyond that, enforcement of password complexity in
the domain will go a long way to protecting your domain resources. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656& -- the
registry method must be used for Windows 2000 and followed exactly.