Lesson 1: Supporting Earlier Versions of Windows Clients

Lesson 1: Supporting Earlier Versions of Windows Clients

In environments that have not completed the migration to Windows 2000, you might need to support earlier versions of clients (also called down-level clients) such as Microsoft Windows 95, Windows 98, and Windows NT. This lesson will teach you how to improve security by replacing earlier authentication protocols with Microsoft NTLM version 2 on servers and clients.

---

To complete this lesson, you will need

• A Windows 98 client attached to the domain

Estimated lesson time: 30 minutes

---

Authentication Basics

Network authentication is the process by which users prove their identity to a remote computer to gain access to its resources after having logged on to a local computer. Single Sign On (SSO) systems, such as Kerberos, automate this process but do not eliminate the requirement of logging on to each server that the user accesses. The illusion of "logging on to the network" is maintained because the user is not interrupted for credentials—they are automatically provided by the client through a traditional exchange of credentials or by possession of a secret key.

When you attempt to access resources on a remote computer or server, either you must have an account on the remote server or the remote server must trust a domain controller on which you have an account. In Windows, this trust can be automatically conferred by participation in the same domain or by participation within a trusted domain.

In a Kerberos network, clients contact a domain controller to retrieve a session ticket, which they can then use to prove their ability to log on. But, because Kerberos authentication is not available to clients prior to Windows 2000, either the LAN Manager or the NTLM authentication protocol must be used.

Both the LAN Manager and the NTLM authentication protocols are challenge/response authentication protocols. Challenge/response authentication is a method of proving that two computers each know a password without revealing what that password is. When the client requests a log on by sending the account name, the server looks up the account name and finds the encrypted password associated with it. The server then sends a random number called a nonce to the client. Both the client and server encrypt the nonce using the password, and the client returns the result. If the result computed on the client matches the result computed on the server, both computers used the same password to reach that result, but they passed only a random number and an encrypted random number over the network.

When a client contacts a domain member server and requests a logon session using LAN Manager or NTLM authentication, the member server performs a pass-through challenge/response authentication with the client. In pass-through authentication, the member server, which does not store the user's account information, passes the credentials, nonce, and results to and from the domain controller, and accepts the domain controller's word that the authentication succeeded. If the credentials are valid on the domain controller, the domain controller replies with the security identifiers (SIDs) that are valid for the client account, and the member server constructs an access token and creates a session for the user.

Windows 2000 Network Authentication

To authenticate a user name and password, Windows 2000 uses the Kerberos V5 or NTLM authentication protocol to encrypt the user name and password. Kerberos V5 is the default in a Windows 2000 (and Windows XP) environment. However, NTLM authentication is used when the client is an earlier version of the Windows operating system, such as Windows 98 or Windows NT. Windows 2000 provides authentication with these clients by supporting

• LAN Manager, an early Microsoft technology for client/server environments. The least secure authentication method, LAN Manager is used only when connecting to shared folders on computers running Microsoft Windows for Workgroups, Windows 95, Windows 98, and Windows Me.

  If you do not need to support clients earlier than Windows 2000, improve network security by disabling support for LAN Manager protocols in Group Policy.

• NTLM version 1, used to connect to Windows NT servers if the environment includes a domain controller running Windows NT 4 Service Pack 3 or earlier.

• NTLM version 2, used to connect to workstation computers running Windows 2000 (or Windows XP) or to Windows NT servers in a domain where all controllers are running Windows NT Service Pack 4 or higher.

• Kerberos V5, used when Windows 2000 or Windows XP clients connect to domain member servers or when Windows 2000 servers connect to other Windows 2000 servers.

LAN Manager Authentication

LAN Manager authentication was developed to connect computers running MS-DOS, IBM OS/2, and UNIX operating systems. Modern computers can decrypt any LAN Manager encrypted password in a trivial amount of time, so avoid its use. On Windows 95 and Windows 98 computers, you can install the Directory Services client to upgrade their authentication to NTLM version 2. For Windows NT 4, you can install any service pack after Service Pack 4 to provide compatibility with NTLM version 2. Earlier clients should be upgraded to more modern and secure operating systems because they do not support secure authentication protocols.

Support for LAN Manager authentication is enabled by default in Windows 2000. If your network does not include non-Microsoft legacy clients, such as computers running OS/2, disable support for LAN Manager authentication using the procedure shown in Exercise 1.

NTLM Authentication

NTLM authentication is more secure than LAN Manager authentication. It uses 14-character passwords and 56-bit encryption to increase the difficulty of acquiring the password in a brute-force attack. However, NTLM authentication is still not secure enough to withstand a concerted decryption attack. All NTLM passwords can be decrypted in a matter of three to six hours with dedicated hardware, and weak or short passwords can be decrypted in a few hours on any modern computer.

NTLM authentication has been superseded by NTLM version 2. Upgrade all clients to support NTLM version 2 rather than support NTLM authentication in your network.

NTLM Version 2 Authentication

NTLM version 2 increases the security of NTLM encryption by using 128-bit encryption, which provides enough security to make brute-force attacks impractical with current technology. Dictionary attacks can still be successful, so passwords must be strong to avoid compromise.

NTLM version 2 is enabled for Windows NT 4 Service Pack 4 and later. For Windows 95 and Windows 98, you can enable support for NTLM version 2 by installing the Windows 2000 Directory Services client and ensuring that support for 128-bit encryption has been added by installing the latest version of Microsoft Internet Explorer.

Consider moving all earlier Windows platforms to Windows 2000 so that you have a homogeneous Windows 2000 network and can disable all forms of NTLM authentication. While NTLM version 2 is significantly stronger than earlier versions, it's still not nearly as secure as Kerberos authentication.

Creating a Secure Environment

Enabling support for NTLM version 2 requires 128-bit security. To see if your Windows 95 or Windows 98 computer already supports 128-bit security, open Internet Explorer, click Help, and then choose About Internet Explorer. Internet Explorer displays an About Internet Explorer dialog box, as shown in Figure 7.1.

Figure 7-1. Windows 95 and Windows 98 shipped with 40-bit security

If the cipher strength is anything less than 128-bit, you must upgrade to the current version of Internet Explorer.

Practice: Enabling a Secure Mixed-Client Environment

In this practice, you update earlier versions of Windows clients to take advantage of NTLM version 2 and disable support for the earlier, less secure LAN Manager authentication protocols. You also install the Directory Services client on a Windows 95 or Windows 98 computer, and modify registry settings to support NTLM version 2 authentication.

Exercise 1: Removing Support for Earlier Authentication Protocols in the Domain

In this exercise, you increase the logon protocol security for a Windows 95 or Windows 98 client network to better safeguard passwords on the network against brute-force decryption attacks. You upgrade the client to NTLM version 2 authentication and ensure that Internet Explorer is providing 128-bit encryption.

To force NTLM version 2 authentication in the domain

1. Log on as the Administrator and open the Domain Security Policy management console. The Group Policy editor appears.

2. Expand Domain Security policy, Windows Settings, Security Settings, Local Policies, and then select Security Options. The Group Policy namespace appears as shown in Figure 7.2.

   

   Figure 7-2. The LAN Manager Authentication Level policy

3. Double-click LAN Manager Authentication Level. The Security Policy Setting dialog box appears as shown in Figure 7.3.

   

   Figure 7-3. Security Policy Setting dialog box

4. Select the Define This Policy Setting check box, and then select Send NTLMv2 Responses Only\Refuse LM & NTLM from the list.

5. Click OK to establish a security policy that accepts NTLM version 2 authentication responses only. Responses from earlier authentication protocols will be rejected.

6. Close the Group Policy editor.

To upgrade to 128-bit security

1. Open Internet Explorer and go to the following address: http://www.microsoft.com/windows/ie/downloads.

   Depending on the version of Internet Explorer you are using, you may receive error messages when Internet Explorer tries to access the Microsoft download Web site. Click Yes to any of these messages to continue loading the Web site. If you cannot reach the download Web site from your version of Internet Explorer, install a newer version of Internet Explorer from CD. See http://www.microsoft.com/ie for information about obtaining an Internet Explorer CD.

2. Follow the links to download the latest version of Internet Explorer.

3. When the File Download dialog box appears, select Run This Program From Its Current Location, and click OK.

4. A Security Warning message box appears. Click Yes to install the current version of Internet Explorer. The Windows Update: Internet Explorer And Internet Tools Wizard appears.

5. Select I Accept The Agreement, and click Next. The Installation page appears.

6. Select Install Minimal to keep the download time to a minimum, and click Next.

7. On the Component Options page, leave the defaults as they are, and click Next.

   Windows Update proceeds to download components. This could take a few seconds or a few hours, depending on the speed of your Internet connection. The Restart Computer message box appears at the end of the file download.

8. Click Finish to restart your computer.

9. If a logon dialog box appears, you can either log on or click Cancel.

A Windows 98 Setup progress bar appears while Internet Explorer updates system settings during the boot process. System startup will be unusually long because numerous system updates are applied. At the end of the boot process, Windows has been updated to use 128-bit security. You can verify this in the About Internet Explorer dialog box, as shown in Figure 7.4.

Figure 7-4. Verifying that 128-bit security is installed

To install the Directory Services client

1. Insert the Windows 2000 Server CD into the client computer's CD-ROM drive.

2. In Windows Explorer, double-click the CD-ROM drive icon. Then double-click the Clients folder, the WIN9X folder, and the Dsclient.cab file.

   A progress bar appears briefly while the files in the cabinet file are decompressed, and the Directory Service Client Setup Wizard appears next.

3. Click Next, and click Next again to begin copying files.

4. Click Finish after the files are copied.

5. Click Yes to restart your computer.

Exercise 2: Enabling NTLM Version 2 on Earlier Versions of Windows Clients

In this exercise, you modify the registry on an earlier Windows client, such as Windows 95, Window 98, and Windows NT, so that it authenticates using NTLM version 2.

Windows NT 4 clients must have Service Pack 4 or later installed for this procedure to be effective.

To modify the registry to support NTLM version 2

1. Click Start, and click Run.

2. In the Run dialog box, type regedit, and press Enter. The Registry Editor appears.

3. Expand HKEY_LOCAL_MACHINE, System, CurrentControlSet, Control, and then Lsa.

The Lsa registry key might not exist if you have not installed Internet Explorer. If it does not exist, create it by right-clicking Control, pointing to New, clicking Key, and changing the name to Lsa.

4. Right-click the Lsa key, point to New, and then click DWORD Value.

5. Type LMCompatibility as the name of the value.

6. Double-click the LMCompatibility value.

7. In the Edit DWORD Value dialog box, type 3 in the Value Data box, and click OK. The value 3 is the registry value required to force NTLM version 2 authentication and reject LAN Manager and NTLM version 1 authentication.

   In the Registry Editor, LMCompatibility appears with the value of 3, as shown in Figure 7.5.

   

   Figure 7-5. Configuring a Windows 98 client to use NTLM version 2 authentication

8. Close the Registry Editor.

9. Restart the computer.

   Upon rebooting, the client computer will be able to log on to the domain using NTLM version 2 authentication.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

1. What are the four types of authentication supported by Windows 2000 to support current and earlier versions of Windows clients?

2. Which two authentication protocols are considered the most secure?

3. What components must be installed in Windows 98 to use NTLM version 2?

4. What encryption strength is used to secure NTLM version 2 passwords?

Lesson Summary

• Windows 2000 supports LAN Manager, NTLM, NTLM version 2, and Kerberos authentication for authenticating Windows clients.

• LAN Manager authentication was originally used in IBM OS/2, MS-DOS, and Windows for Workgroups. It is especially weak and should not be used in secure networks.

• NTLM was developed to improve LAN Manager security for Windows NT and was superseded by NTLM version 2 in Windows NT Service Pack 4. NTLM authentication is not as strong and should therefore be replaced by NTLM version 2 authentication.

• NTLM version 2 improves NTLM authentication by increasing the encryption strength from 56 bits to 128 bits.

• Kerberos is considerably stronger than earlier authentication methods. If security is of paramount importance, earlier clients should be replaced with Windows 2000 or later, and Kerberos should be used exclusively for authentication.