Re: ntlmv2 & Kerberos (General questions)

by dirk, Wednesday, April 29, 2009, 19:55 (5686 days ago) @ wodSupport

This is the install info I got from the customer:
For instructions I guess it’s something like the following:
- Install plain Microsoft Windows 2003 Server
- Install Active Directory and DNS
- Upgrade Active Directory to Native mode
- Disable Anonymous login in IIS and make sure that only Windows Integrated Login is selected
- Install Servers Alive
- Create an Active Directory user for Servers Alive to use
- Install a Windows 2003 Server as a domain member server
- Install IIS
- Create a testfile under the Default Website directory
- Grant rights to read the file provided by IIS using the normal NTFS file system file properties, make sure that Everyone or Domain Users do not have access
- Add a DNS alias for the member server named intranet
- Create a Kerberos SPN fÃ
r the DNS alias using the command “setspn –a HTTP/intranet <computername>”
- Configure Servers Alive to do a HTTP check using the specified account and URL via DNS alias
- Test the Servers Alive control
Our system is a bit complex, but I think that would provide you with enough infrastructure to make tests. We also do the following that could have an impact…
- Disable NTLMv1 on domain controllers
- Run Microsoft Sharepoint Portal 2007 as a IIS application under a specified service account who has the Kerberos SPN registered
- Run over HTTPS and using Host headers
- Security policies (GPO) as below, the ones most probably causing troubles in this case marked red (please don’t distribute this info, since it might be considered sensitive even if it’s standard Microsoft stuff):
o Accounts: Limit local account use of blank passwords to console logon only Enabled
o Audit: Audit the access of global system objects Disabled
o Audit: Audit the use of Backup and Restore privilege Disabled
o Audit: Shut down system immediately if unable to log security audits Enabled
o Devices: Allow undock without having to log on Disabled
o Devices: Allowed to format and eject removable media Administrators
o Devices: Prevent users from installing printer drivers Enabled
o Devices: Restrict CD-ROM access to locally logged-on user only Disabled
o Devices: Restrict floppy access to locally logged-on user only Disabled
o Devices: Unsigned driver installation behavior Warn but allow installation
o Domain controller: Allow server operators to schedule tasks Disabled
o Domain controller: LDAP server signing requirements Require signing
o Domain controller: Refuse machine account password changes Disabled
o Domain member: Digitally encrypt or sign secure channel data (always) Enabled
o Domain member: Digitally encrypt secure channel data (when possible) Enabled
o Domain member: Digitally sign secure channel data (when possible) Enabled
o Domain member: Disable machine account password changes Disabled
o Domain member: Maximum machine account password age 30 days
o Domain member: Require strong (Windows 2000 or later) session key Enabled
o Interactive logon: Display user information when the session is locked User display name, domain and user names
o Interactive logon: Do not display last user name Enabled
o Interactive logon: Do not require CTRL+ALT+DEL Disabled
o Interactive logon: Message text for users attempting to log on This is a Swedish Armed Forces device.,Only authorized users are entitled to connect or log in to this device.,If you are not sure whether you are authorized or not then you are NOT and should DISCONNECT IMMEDIATELY!,Audit trail is activated and offenders of this policy will be prosecuted!
o Interactive logon: Message title for users attempting to log on Warning!
o Interactive logon: Number of previous logons to cache (in case domain controller is not available) 0 logons
o Interactive logon: Pr