Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, April 9, 2013 12:31 PM
Hello everyone,
In my network I have Windows 2008R2 DCs, IIS, SQL Server, and an intranet.
I wonder if I can disable security for the traffic by NTLM so that it is only with Kerberos.
Can I have a problem?
How can I disable NTLM?
thank you
All replies (15)
Thursday, April 11, 2013 12:45 PM âś…Answered
Hi Felipe,
I would go with auditing the NTLM rather blocking it . the below article is a great read
Tuesday, April 9, 2013 12:54 PM
1) Why would you want to disable NTLM?
2) If you disabled NTLM you would have to configure kerberos authentication for IIS and SQL.
By default, user authentication will use kerberos when logging into the domain. If you want to use kerberos between IIS and SQL, there are some configuration steps that need to happen to make it work.
http://support.microsoft.com/kb/319723
Hope This Helps!
Wednesday, April 10, 2013 6:42 AM
I concur with Ryan. You really don't want to disable it, provided you understand the implications. You may have applications and services running, such as what Ryan mentioned, that do not use Kerberos.
Besides the Microsoft services you've listed, what other applications are installed? How about client operating systems? Any older clients? How about Macs, Linux or Unix? They may not be able to support Kerberos unless you "Kerberize" the Linux and Unix machines, and "bind" the Macs to AD.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, April 10, 2013 7:11 AM
It is not that simple. First you need to know which applications uses NTLM. You know this by enabling auditing NTLM authentication. More info on the following link:
Johan Loos
Wednesday, April 10, 2013 7:26 AM
Hi Felipe_Senna1,
I agree with the above suggestions.
And, we do not recommend to disable NTLM.
Thanks.
Jeremy Wu
TechNet Community Support
Thursday, April 11, 2013 12:50 AM
If its more on security , rather disabling = audit the protocol
http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx
Microsoft apps are developed with both NTLM and Kerb in consideration , most protocol has fallback to NTLM if the primary authentication protocol fails eg: KILE fall back to NTLM ( SMB auth ) and not advised to turn off NTLM
Thursday, April 11, 2013 11:42 AM
I thank all the answers.
However whenever I see these situations where the microsoft points to use a new feature, and in practice we can not use reason by N ...
The microsoft points, but never speaks what can happen.
If encrypts kerberos authentication, if NTLM is unsafe, yet one can not use because some products like microsoft's own IIS and SQL, do not support.
Sera that this matter should we laugh or cry?
Again thank you all for the answers
Thursday, April 11, 2013 11:42 AM
I thank all the answers.
However whenever I see these situations where the microsoft points to use a new feature, and in practice we can not use reason by N ...
The microsoft points, but never speaks what can happen.
If encrypts kerberos authentication, if NTLM is unsafe, yet one can not use because some products like microsoft's own IIS and SQL, do not support.
Sera that this matter should we laugh or cry?
Again thank you all for the answers
Thursday, April 11, 2013 11:46 AM
IIS, SQL, SharePoint, Active Directory all support kerberos but you have to configure it which is kind of the point of kerberos. Kerberos, by default, is used for authentication to the domain. I have never heard NTLM as being "unsafe" it's marginally less secure than kerberos because of the hash going back and forth on the network and a more chatty, but not unsafe.
Hope This Helps!
Thursday, April 11, 2013 11:57 AM
microsoft describes in the article below is not safe to use NTLM
"NTLM and NTLMv2 is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle, and brute force attacks. Reducing and eliminating NTLM authentication in your environment forces the Windows operating system to use more protocols insurance, as the Kerberos version 5 protocol, or different authentication mechanisms such as smart cards. "
reference:
http://technet.microsoft.com/en-us/library/jj852241(v=ws.10).aspx
Which way to let the traffic NTLM and risk described above?
NTLM or block traffic and run the risk of having your network or application stop?
Thursday, April 11, 2013 12:04 PM
@ThatGuyRyan:
from a security point of view ( non Microsoft ) - NTLM hash is very much predictable on the wire which means each password is stored in base 36 and 16byte LM hash is appended with 5 null bytes ( 21 bytes ) and then it splits the 21bytes into 3 groups ( 7 bytes each )
if you perform brute force you can get the resultant / close 14bytes predictable password.
@ Felipe
even NTLM has strong encryption ( DES ) when compared to pure LM and it depends on what is your requirement with respect to applications and their code requesting the NTLM or Kerberos.
Thursday, April 11, 2013 12:18 PM
vulnerability
Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can only occur if the server or domain controller processes requests NTLM. If these requests are denied, this attack vector
Thursday, April 11, 2013 12:23 PM
@ThatGuyRyan:
from a security point of view ( non Microsoft ) - NTLM hash is very much predictable on the wire which means each password is stored in base 36 and 16byte LM hash is appended with 5 null bytes ( 21 bytes ) and then it splits the 21bytes into 3 groups ( 7 bytes each )
if you perform brute force you can get the resultant / close 14bytes predictable password.
@ Felipe
even NTLM has strong encryption ( DES ) when compared to pure LM and it depends on what is your requirement with respect to applications and their code requesting the NTLM or Kerberos.
Right, in a corporate environment it's marginally less secure. If you have users who are brute forcing your domain controllers you need to hire them as engineers.
Hope This Helps!
Thursday, April 11, 2013 12:29 PM
I believe that the Forum is not a channel for ironies, as you posted now.!
I'm asking because I want to learn and understand, so I can be a better trader.
The article says something microsoft, and opinions here say other things.
Porting my questions are for better learning and career success.
Not posted here for jokes, irony or as you are
Monday, April 20, 2015 8:40 PM
Filipe,
NTLM cannot be configured from Server Manager. You can use Security Policy settings or Group Policies to manage NTLM authentication usage between computer systems. In a domain, Kerberos is the default authentication protocol. Default does not mean that NTLM authentication will not occur due to fallback. Here is a post that describes how to disable NTLM:
https://technet.microsoft.com/en-us/library/jj865668.aspx
I hope this helps!
All the Best,
Paul