Re: [Fed-Talk] Reminder of List Usage
Re: [Fed-Talk] Reminder of List Usage
- Subject: Re: [Fed-Talk] Reminder of List Usage
- From: Paul Nelson <email@hidden>
- Date: Mon, 29 Nov 2004 16:27:41 -0600
Malicious CIFS/SMB software can dupe Macintosh and Linux systems into giving
up the user's password hash using the weaker NTLMv1 method. Once the NTLMv1
hash has been obtained, a password cracker can be used to determine the
plain-text password. This may be the main concern for OS X - the people
running the network have no way of preventing the OS from giving out the
weak NTLMv1 hash.
I don't know if Apple realizes that although support for NTLMv2 is
important, the policy for when weaker methods are allowed is just as
important. Apple should be able to assure customers that if they configure
the system a certain way, that users of that system will never be able to do
something that causes weak authentication methods to be used (no matter how
badly the user wants to). For example, Apple allows a user to use plain
text authentication when connecting to SMB servers that don't support
encrypted authentication (say a hacked Samba server). The user shouldn't be
allowed to make this decision. PC administrators can use group policy to
prevent computers from giving out weak password hashes, or from talking to a
server that doesn't support SMB signing.
ADmitMac and DAVE implement Kerberos and NTLMv2 authentication. Policy
settings prevent or allow the software to use weaker authentication methods
(NTLMv2). These products have both been tested against Windows 2003 with
the hisecdc security template applied. For info on what this template does,
see:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
roddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/stan
dard/proddocs/en-us/sag_SCEdefaultpols.asp
The interesting parts are:
If a server is configured with Hisecws.inf, then a client with a
local account on that server will not be able to connect to the server
unless the client's computer is configured to send NTLMv2 responses.
If a server is configured with Hisecws.inf, then all clients that
want to use SMB to connect to that server must enable client-side SMB packet
signing. All computers running Windows 2000 and Windows XP operating systems
enable client-side SMB packet signing by default.
If a domain controller is configured with Hisecdc.inf, then a user
with an account in that domain cannot connect to member servers using that
domain user account if the connection is being attempted from a client that
only uses the LAN Manager authentication protocol.
If a domain controller is configured with Hisecdc.inf, then a user
with an account in that domain will not be able to connect to member servers
using that domain account unless:
Both the client and target server are running Windows 2000 or
above and can use Kerberos-based authentication rather than
LAN Manager-based authentication.
The client is configured to send NTLMv2 responses.
If a domain controller is configured with Hisecdc.inf, then
Lightweight Directory Access Protocol (LDAP) clients will not be able to
bind with the Active Directory LDAP server unless data signing is
negotiated. BIND requests using ldap_simple_bind or ldap_simple_bind_s are
rejected. By default, all Microsoft LDAP clients that ship with Windows XP
will request data signing if Transport Layer Security/Secure Sockets Layer
(TLS/SSL) is not already being used. If TLS/SSL is being used, then data
signing is considered to be negotiated.
However, it would benefit Apple to tell customers how to be sure that NTLMv1
will never be used. There are a few places that come to mind:
1) The Apple CIFS file system (mounting a volume using CIFS/SMB. ADmitMac
and DAVE prevent Apple's CIFS filesystem from being used.
2) the command line tools "smbclient" and "smbtar" allows sending NTLMv1
hashes. This can easily be removed, and is rarely used by anyone on a
regular basis.
3) Apple's printing back end for use with CIFS/SMB based print servers.
This is not replaced by ADmitMac or DAVE, it just isn't needed. I don't
know if there is a way to remove this from the OS.
> From: "Clauson, Ken" <email@hidden>
> Date: Mon, 29 Nov 2004 16:28:28 -0500
> To: 'Shawn Geddis' <email@hidden>, Fedtalk List <email@hidden>
> Subject: RE: [Fed-Talk] Reminder of List Usage
>
> Perhaps we could do some collective support as well, rather than all of us
> working through these issues individually. For example, once the NTLM
> authentication issue booted many of us off windows networks, it would have
> been useful to find specific solutions posted to the list. . .something
> beyond "AdmitMac is supposed to work". . .
> If apple is truly concerned about apple desktops in the DoD community, and
> is interested in helping growth (or merely maintaining the scant current
> presence) then perhaps some solutions could be researched, documented and
> posted, thus saving us the time of figuring them out individually.
>
> Apple needs to formally engage the CIO-G6s (DoD and Army, for example) and
> get an official position and eliminate the rumors and local
> interpretations. We all know the local DOIMs are not particularly interested
> in supporting Macs. . .it would help us if we could come to them with
> solutions that work. . .detailed, proven solutions that save them and us
> time and energy. If the answer is "use virtual PC for everything" so be it,
> but let's get an official position.
>
> Ken Clauson
> APAC
>
>
>
>
>
> -----Original Message-----
> From: fed-talk-bounces+kenneth.clauson=email@hidden
> [mailto:fed-talk-bounces+kenneth.clauson=email@hidden] On
> Behalf Of Shawn Geddis
> Sent: Monday, November 29, 2004 3:26 PM
> To: Fedtalk List
> Subject: [Fed-Talk] Reminder of List Usage
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> l
>
> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden