MS security template breaks IIS 5 remote authentication! HELLLP!!

Ok, where to start... I apologize if this has been previously discussed (I'm praying that it has,) but I can't find any usefull info on how to fix this.

Setup:
Basic win2k srvr (SP3) IIS 5.crap
15 Virtual domains.

Took MS's 'hisecws' security template, made a few minor tweaks to it (like changing banners etc, nothing major), analyzed, and then applied.

Have a plain old .asp file in IIS under one of the domains, that has to be passworded. It had been setup with No anonymous access, so it was using Integrated Windows authentication.

Before security template application, you pull up a remote browser, authentication window pops up, used Administrator's account (for the sake of this discussion) and blank Domain (the server does not use AD) and it would work like a champ.

After the application of 'hisecws' template, pull up a remote browser, do the SAME thing, NO GO! I get the obnoxious;

Logon Failure:
      Reason:          Unknown user name or bad password
      User Name:     Administrator
      Domain:          WEBAIR-P15E3F1W
      Logon Type:     3
      Logon Process:     NtLmSsp
      Authentication Package:     NTLM
      Workstation Name:     My_ws_name

Joined by another:

The logon to account: administrator
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: WEBAIR-P15E3F1W
 failed. The error code was: 3221225578

errors!

Pull up a browser locally on the machine, and SAME damned username and password, and it works like a champ.

So ok, let's go and tweak the "Log on locally" and "Access this computer from Network" tokens. Added everyone and their mother (after frustration) to these two. Then, I even turned off the Null Session protection by disabling the "Additional restrictions for anonymous connections" limitations.

Unfortunately I can NOT establish a remote Null session to this machine, but why the HELL would I need to??

STILL NO GO!@#*^

Obviously, when I change the protection in IIS to just use Basic Authentication, same username and password works like a champ remotely and locally.

What in the hell gives??  

I have gone through every single setting under Security Settings in GPO and have Laxed up anything I think would be causing a problem, but I've run out of ideas.

I border on desperation for a fix! :)

And I apologize for my tone, I'm just furious at what a pain in the neck securing windows can be.

I'd appreciate any help.
aebnerezAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ghost_HackerCommented:
Have you check the version of NTLM being used. The high security template uses NTLMv2 and does not accept LM or NTLMv1 authenication.
0
Ghost_HackerCommented:
This site shows the settings changed for each template and some things to watch out for.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/sag_SCEdefaultpols.asp


You'll want to look at the "LAN Manager Authentication Level" and see if it's set to "Send NTLM version 2 (NTLMv2) response only". If it is change it so that the server accepts NTLM and you should be good to go.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ghost_HackerCommented:
Oh I would reboot after changing it.
0
aebnerezAuthor Commented:
You are the man! Thanks so much, I can't believe it was right under my nose, I skipped that setting god knows how many times. The reboot btw wasn't necessary, it works like a champ!!
I set it to accept NTLM, but use NTLMv2 if negotiated. I think considering the side effects of NTLMv2-only, that is a fair compromise.

Thanks so much again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.