Skip to Content.
Sympa Menu

assurance - [Assurance] AD Cookbook questions

Subject: Assurance

List archive

[Assurance] AD Cookbook questions


Chronological Thread 
  • From: John Krabacher <>
  • To: "''" <>
  • Subject: [Assurance] AD Cookbook questions
  • Date: Wed, 8 Feb 2012 16:58:40 +0000
  • Resent-date: Wed, 8 Feb 2012 12:25:46 -0500
  • Resent-from: Dean Woodbeck <>
  • Resent-message-id: <>
  • Resent-to:

From John Krabacher, U of Chicago:

Hello,
 
I’ve been reviewing the cookbook and I have some questions.  I’ll admit that I haven’t been keeping up with all of the discussions that have taken place over this mailing list so if any of these have been answered before I apologize.
 
The AD Problem Statement in section 4.2.5.1 Resist Replay Attack states that “Kerberos, NTLMv2 and secure LDAP binds or LDAP binds using SSPI/Kerberos do provide resistance to replay attack.”  However the mitigation section gives instruction on how to mitigate NTLMv2.  Why would NTLMv2 need to be mitigated if it already provides resistance to that attack?  Is that supposed to be NTLMv1? 
 
Similarly, the AD Problem Statement in section 4.2.5.2 Resist Eavesdropper Attack states “Kerberos, NTLMv2 and secure LDAP binds or LDAP binds using SSPI/Kerberos do provide resistance to eavesdropping or brute force attack.”  If we mitigate LM and NTLM1 authentication is that sufficient or do we still need to proceed with one of the two strategies under “All eavesdropper mitigation?”
 
 
Thanks,
John



Archive powered by MHonArc 2.6.16.

Top of Page