LM Hashes, NTLM and Kerberos.

I need to understand a couple of things with regards to the LM Hashes, NTLM and Kerberos. In windows 2000 server, do you set up kerberos or is it there by default? Just works even without any configuration? Where then does the vulnerability of LM Hashes and NTLM come in if windows 2000 server uses kerberos? Im lost. Please refer me to some site or please explain.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:

Kerberos is default authentication mechanism since 2000 for clients which support Kerberos authentication. If client does not support Kerberos authentication (Windows 9x/Me, NT 4.), server will fall back to NTLMv2, NTLMv1 or even LM hashes. If anything on your network prevents Kerberos from working, even clients which support Kerberos authentication will use older authentication mechansims. Behaviour of your domain controllers is defined in Default Domain Controllers Policy:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

LAN Manager authentication level should be configured to refuse LM and NTLMv1, but this might prevent older system from authenticating.

More info: http://msdn.microsoft.com/en-us/library/ms814176.aspx



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
Kerberos is only the default for sign-on, all share/printer/IIS access auth is LM/NTLM!
Even with vista still defaults to lm/ntlm.  It's sad really... from the link above: Default: Send LM & NTLM responses.
This is a pretty good article about lm/ntlm/ntlmv2, but is incorrect about vista's behaviour with LM/NTLMv1 http://technet.microsoft.com/en-us/magazine/cc160954.aspx

This article tries to explain Kerberos.

If you really want to see what is being sent in/out for yourself, grab a copy of Cain&Abel from oxid.it and turn on the sniffer. The M$ articles seem to portray kerbeos being used all over, but it's really not...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.