Dear Ron Ray,
There is no bug. "Send NTLM response only" refers to client, not to
server. "Send NTLM response only" means that client computer will not
send LM hashed response on server's challenge to server computer. "Send
NTLM response only" sets your compatibility level to 2. To disallow LM
logon on Domain Controller you need LMCompatibilityLevel 4.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
Value: LMCompatibilityLevel
Value Type: REG_DWORD - Number
Valid Range: 0-5
Default: 0
Description: This parameter specifies the type of authentication to be
used.
Level 0 - Send LM response and NTLM response; never use NTLMv2 session
security
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM authenication only
Level 3 - Send NTLMv2 authentication only
Level 4 - DC refuses LM authentication
Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)
See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q239869 for
more information
--Thursday, July 18, 2002, 6:42:31 AM, you wrote to bugtraq@securityfocus.com:
RR> NTLM is supposed to increase the password security by using upper and
RR> lower case but my windows 9x client could still log in ignoring the case
RR> even though the LAN Manager Authentication Level on the Domain Controller
RR> was set to "Send NTLM response only".
--
~/ZARAZA
Ну а в целом, Уильям, здешний климат - ежели только
это можно назвать климатом, вполне сносный. (Твен)
