RDS Services

Security issues and NTLM

Documentation

[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol Specification
[MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol Specification
[MS-SPNG]: Simple and Protected Generic Security Service Application Program Interface Negotiation Mechanism (SPNEGO) Protocol Extensions

Registry Tweaks

NTLM Authentication Level

LmCompatibilityLevel

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

Value

Meaning

Value

Meaning

0

Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1

Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2

Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication.

3

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2.

5

Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

 

A useful resource is to use FreeRDP from a Linux machine. Most thin clients utilize Linux and just modify the front end. The following pertains to FreeRDP but gives significant insight into things that may not be obvious from Microsoft.

Extended Protection for Authentication

Extended Protection for Authentication is enabled by default on Windows 7 and Windows Server 2008 R2. When enabled, certain features of NTLMv2 authentication are used, such as the ChannelBindingToken (CBT). Since FreeRDP is not using that feature, it might be a good idea to disable it before taking a packet capture from mstsc.exe that you want to analyze.

To disable Extended Protection for Authentication, create the following DWORD key with the value “1”:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection

To re-enable it, either delete the above key, or set its value to “0”.

Extended Protection for Authentication
Microsoft Security Advisory: Extended protection for authentication
Microsoft Security Advisory (973811): Extended Protection for Authentication

AutomaTech Inc.