RDS Services
- Franco Petrone
Security issues and NTLM
Documentation
[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol Specification
[MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol Specification
[MS-SPNG]: Simple and Protected Generic Security Service Application Program Interface Negotiation Mechanism (SPNEGO) Protocol Extensions
Registry Tweaks
NTLM Authentication Level
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
Value | Meaning |
|---|---|
0 | Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication. |
1 | Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. |
2 | Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication. |
3 | Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. |
4 | Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2. |
5 | Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2. |
A useful resource is to use FreeRDP from a Linux machine. Most thin clients utilize Linux and just modify the front end. The following pertains to FreeRDP but gives significant insight into things that may not be obvious from Microsoft.
Extended Protection for Authentication
Extended Protection for Authentication is enabled by default on Windows 7 and Windows Server 2008 R2. When enabled, certain features of NTLMv2 authentication are used, such as the ChannelBindingToken (CBT). Since FreeRDP is not using that feature, it might be a good idea to disable it before taking a packet capture from mstsc.exe that you want to analyze.
To disable Extended Protection for Authentication, create the following DWORD key with the value “1”:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection
To re-enable it, either delete the above key, or set its value to “0”.
Extended Protection for Authentication
Microsoft Security Advisory: Extended protection for authentication
Microsoft Security Advisory (973811): Extended Protection for Authentication
AutomaTech Inc.