|
Posted by Roger Abell [MVP] on February 28, 2007, 9:09 am
Please log in for more thread options
> Roger a brief summary:
>
> 1) You were completely correct that if I select the checkbox for the lists
> of anonymous shares, pipes, and registry entries and then empty them, the
> null setting does take effect on next application of the GPO. The bug
> where these repopulate is simply within the GPO editor. It's still
> nasty,
> but less serious than it looked at first.
>
Yes, it is very pernicious.
I think I did see a KB warning about this though,
but I certainly cannot locate it currently.
> 2) Even after you take out ALL anonymous shares, pipes, and registry
> settings, and set the authentication level to refuse LM and NTLM, you will
> still get eventid 540 and NTLMSSP anonymous connections from every member
> server that is seeking to renew a Kerberos ticket. This is at least true
> with a Windows 2003 DC and W2K member servers. Not sure if this changes
> with Windows 2003 member servers (I would like to know).
>
I think it remains so with members also.
I only see those go away for example on my IIS w2k3 r2 members when
the IPsec cloak leaves only tpc 80, 443 open to the authentication attemps,
hence blocking this (what?) residual successful anonymous login.
> I would sure like to understand what the NTLMSSP anonymous logon is used
> for. Perhaps that eventID 540 Anonymous Logon is a pre-Kerberos
> authentication just to ask the domain controller what authentication
> methods
> it supports using NTLM 2? If anyone has specifics on what it is used
> for
> I would appreciate details.
>
I have not seen details, and would similarly appreciate MS providing
more clarity on this entire topic for their customer base.
As I stated in a different thread with yourself, my present working
assumption is that the event recorded is the initial SSPI negotiation,
which of course by definition must be prior to any authenticated
access. It is of course only my current hypothesis, but I do recognize
what you are reporting, that one cannot remove all successful logon
events for anonymous.
PS.
my weak point on the hypotheis is why we see SPNEGO events
that are separate from the NT Authority\Anonymous Logon
success events
> 3) I looked at all of this with a sniffer, and what is quite strange to me
> is during the prenegotiation period before the member server attempts to
> do
> any SMB to the DC, the member server is listing the protocols it would
> like
> to work with. It lists very unsecure protocols including Windows for
> Workgroups 3.1, early LANMAN protocols, etc. It is the server that comes
> back and lists only two acceptable protocols as Kerberos and NTLMSSP.
> Why
> is the W2K member server asking for unsecure protocols when the
> authentication level is set to the highest. Strange.
>
IIRC the SSPI negotiation starts with the requestor listing
the protocols it is capable of using (you said ones it would
like to use). Sever responds with its preference. It is after
all a negotiation, so requestor may not support servers first
choice, etc..
> Obviously I don't understand it too well yet, but would like to change
> that.
> Is there a newsgroup that specializes in programmers using Windows
> authentication APIs?
http://msdn2.microsoft.com
specifically digging in at
http://msdn2.microsoft.com/en-us/library/default.aspx
(and do not overlook the DDK - driver dev kit)
When I was first charged with exploring MS Windows for its
fit/misfit in our environment, the SDK (via MSDN) was THE
(as in only) location for any realistic, meaningful, and not
outdated, info about Windows operation (and hence rigorous
administration/management).
Things have improved greatly, but there is still gap.
Roger
| 
XML Sitemap