Enabling Strong Domain Authentication

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,

Problem

You want to ensure that users can only authenticate to Active Directory using strong authentication protocols.

Solution

Using a graphical user interface
  1. Open the Group Policy Management Console snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain you want to administer, and expand the Group Policy Objects container.

  3. Right-click on the GPO that controls the configuration of your domain controllers and select Edit. (By default, this is the Default Domain Controller Policy, but it may be a different GPO in your environment.) This will bring up the Group Policy Object Editor.

  4. Browse to Computer Configuration Windows Settings Security Settings Local Policies Security Options.

  5. Double-click on “Network security: LAN Manager Authentication Level.” Place a check mark next to “Define this policy setting.”

  6. Select “Send NTLMv2 responses only/refuse LM & NTLM.” Click OK.

  7. Wait for Group Policy to refresh, or type gpupdate /force from the command prompt of a Windows Server 2003 domain controller. On a Windows 2000 DC, use the secedit command with the /refreshpolicy switch.

Discussion

Microsoft operating systems have supported different flavors of LAN Manager (LM) and NT LAN Manager (NTLM) authentication since the earliest days of Windows. LM authentication is an extremely old and weak authentication protocol that should no longer be used in production environments unless absolutely necessary. By default, Windows 2000 Active Directory supported client authentication attempts using LM, NTLM, or NTLMv2; Windows Server 2003 supports only NTLM and NTLMv2 out of the box.

The strongest NTLM authentication scheme you can select is to refuse LM and NTLM authentication from any client, and to only respond to clients using NTLMv2. Depending on your client configuration, though, enabling this option may require changes on the client side as well. You can apply the same setting to a GPO linked to your Active Directory domain to ensure that all of your clients will use NTLMv2 instead of older, weaker protocols.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s