Windows 9x clients authentication

G

Guest

Dear sir's
on a network with a windows 2000 advanced server domain is there a way not
to allow windows 95,98 and ME clients to authenticate or log on to the
domain? (note: i want to deny the access for the operating systems not the
user accounts or computer accounts) which meens if a user has a dual boot
(2000 pro,98) he can access and log onto the domain but when booted with
windows 98 , he can't
thank you for your help

best regards
 
G

Guest

Hi,

When authenticating from 9x and me machines, LM authentication is used. This
can be disallowed via Group Policy. Maybe that will work.

But please notice that some services or program may depend on LM
authentication so be sure to test properly.

/Lars
 
S

Steven L Umbach

You might try disabling lm in the domain by using Domain Security Policy and
configuring the lan manger authentication level to be "send ntlmv2 responses
only/refuse lm" . That is a security option under security settings/local
policies/security options. I am not sure if Windows ME can use ntlm as
installed [W95/98 definitely can not] and any of them can use ntlm or ntlmv2
if the user installs the Directory Services Client on the operating system.
The link below explains a bit more.

http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html

The only really secure method would be to use ipsec "require" policy on all
computers that you do not want these operating systems to access. Be default
in a domain ipsec uses kerberos for computer authentication which would
preclude down-level operating systems. Keep in mind however that ipsec
negotiation polices require that domain controllers be exempted by their
static IP addresses [via a rule with a permit filter action] for
communications to non domain controller domain members because they are the
kerberos key distribution centers. Ipsec also has some overhead involved
though you can configure policy to use AH only to reduce that if you do not
need data encrypted. Never deploy an ipsec policy without some testing
first as you can shut down the domain if done wrong. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
-- basics of ipsec for W2K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows 98 clients are locking users accounts 3
Problem with user authentication (2000<->NT) 1
Windows 98/ME having problem to log-on Windows 2000 domain 2
smart card authentication api 1
No Windows 9x Access to Win2k DC 1
certificate authentication 1
Win 2k=Access & Win 9x= No Access 1
Authentication and The directory cannot be found 1

Top