none
关于 基于 NTLM SSP(包括安全 RPC)的最小会话安全 的配置

    问题

  • 在windows7及以后的系统上,首先将”网络安全: LAN Manager 身份验证级别“配置为”仅发送 NTLMv2 响应\拒绝 LM & NTLM“,
    对于”网络安全: 基于 NTLM SSP(包括安全 RPC)客户的最小会话安全“和”网络安全: 基于 NTLM SSP(包括安全 RPC)服务器的最小会话安全“这两个选项,如果不勾选“要求 NTLMv2 会话安全“只勾选”要求 128-位加密“,是否意味着现在系统的会话安全已使用NTLMv2并使用128位加密?

    2017年2月19日 8:52

全部回复

  • 在windows7及以后的系统上,首先将”网络安全: LAN Manager 身份验证级别“配置为”仅发送 NTLMv2 响应\拒绝 LM & NTLM“,
    对于”网络安全: 基于 NTLM SSP(包括安全 RPC)客户的最小会话安全“和”网络安全: 基于 NTLM SSP(包括安全 RPC)服务器的最小会话安全“这两个选项,如果不勾选“要求 NTLMv2 会话安全“只勾选”要求 128-位加密“,是否意味着现在系统的会话安全已使用NTLMv2并使用128位加密?

    你好,

    请看一下具体的官方解释:

    “ NTLMv2 Session Security is related to how session keys are computed. When using the original NTLM protocol, the session key is based on the user’s NT hash (the NT OWF). When NTLMv2 Session Security is used, the session key is based on not only the NT OWF but also on the client and server challenges. Those session keys are not used during the actual authentication sequence, but when an application requests security by calling the EncryptMessage or SignMessage APIs.”

    “Theoretically, NTLMv2 Session Security can be used with any protocol. But used with NTLM version 1, it also improves the challenge response computation by including the client-side challenge, similar to how NTLMv2 itself works. This makes a precomputed hash attack against captured challenge-response pairs more difficult, but certainly not impossible. More significantly, it makes man-in-the-middle attacks much more difficult.

    NTLMv2 Session Security is still negotiated. Therefore, if the attacker has the ability to act as the server itself or to modify the transaction in any way, the attacker can downgrade the authentication protocols to the older versions, enabling both types of attack once again. Only if LMCompatibilityLevel is set to 3 on the client are these attacks actually stopped.”

    如果是按照上面列出来的配置,那么含义是:

    当该机器作为client的时候,仅发送 NTLMv2的 response, 当作为server的时候,拒绝接受LM&NTLM的 response,仅接受NTLMv2的 response;

    使用 NTLMv2 Session Security

    下面这篇英文文档我建议你看一下:

    Security Watch           The Most Misunderstood Windows Security Setting of All Time

    https://technet.microsoft.com/en-us/library/2006.08.securitywatch.aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年2月20日 10:17
    版主
  • 你好,

    请问还有其他的问题吗?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年3月7日 14:00
    版主