|
Posted by jeff on September 20, 2005, 3:43 pm
Please log in for more thread options Thanks Steve...that is pretty much what I thought.
"Steven L Umbach" wrote:
> It is not possible to completely disable it. There are also cases where it
> is required such as for VPN and I also believe possibly some implementations
> of Exchange. You can manage lan manager authentication level to allow only
> ntlmv2 which also is a pretty robust authentication protocol though again be
> careful with Exchange and VPN servers. You could also configure sensitive
> domain servers [not domain controllers] with an ipsec require policy which
> by default would use kerberos for computer authentication before access
> would be allowed and in such case it would be impossible say for a Windows
> 98 or non domain computer to access the ipsec required server. Ipsec is a
> fairly complex topic and must be configured correctly and tested [ideally on
> a test domain], particularly for domain controllers, or all sorts of
> problems will ensue. The link below is a great article on ipsec even if you
> just read the appendixes which will give you an excellent understanding of
> ipsec and how to use it. --- Steve
>
>
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
>
>
> > Hello...
> >
> > I'm in a pure Windows 2003 domain environment with Windows XP clients. All
> > servers and workstations are joined to the domain. We are at Windows 2003
> > forest
> > functional level.
> >
> > I know kerberos is the default authentication protocol. But...
> >
> > I have been asked...(if possible) to completely disable all levels of Lan
> > Manager authentication capabilities from out
> > environment...LM..NTLM..NTLMv2
> >
> > is this possible.....?
> >
> > Thanks
>
>
>
| 
XML Sitemap