- Notifications
You must be signed in to change notification settings - Fork15.2k
Network Level Authentication
Windows XP to Windows 7, Local Logon
Windows 7 to Windows Server 2008 R2, Domain Logon
Windows 7 to Windows Server 2008 R2, Domain Logon, Suppress Extended Protection
Each annotated packet capture comes with the original wireshark packet capture bundled with the private key required to decrypt the packets. To configure wireshark such that it can use the private keys to decrypt the captures, refer to theWireshark Usage article.
[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol Specification
[MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol Specification
[MS-SPNG]: Simple and Protected Generic Security Service Application Program Interface Negotiation Mechanism (SPNEGO) Protocol Extensions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
| Value | Meaning |
|---|---|
| 0 | Clients use LM andNTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM,NTLM, and NTLMv2 authentication. |
| 1 | Clients use LM andNTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM,NTLM, and NTLMv2 authentication. |
| 2 | Clients use onlyNTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM,NTLM, and NTLMv2 authentication. |
| 3 | Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM,NTLM, and NTLMv2 authentication. |
| 4 | Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it acceptsNTLM and NTLMv2. |
| 5 | Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM andNTLM authentication responses, but it accepts NTLMv2. |
Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3
Add “tspkg” to:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
Then add “credssp.dll” to:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
And then reboot for the changes to take effect. From experience, this should work even with the latest version of Windows Server 2008 R2, but I noticed that whileNTLM authentication is used for a local logon, Kerberos authentication is used for a domain logon. Tweaking LmCompatibilityLevel helps forcing certain versions ofNTLM.
Extended Protection for Authentication is enabled by default on Windows 7 and Windows Server 2008 R2. When enabled, certain features of NTLMv2 authentication are used, such as the ChannelBindingToken (CBT). Since FreeRDP is not using that feature, it might be a good idea to disable it before taking a packet capture from mstsc.exe that you want to analyze.
To disable Extended Protection for Authentication, create the followingDWORD key with the value “1”:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection
To re-enable it, either delete the above key, or set its value to “0”.
Extended Protection for Authentication
Microsoft Security Advisory: Extended protection for authentication
Microsoft Security Advisory (973811): Extended Protection for Authentication