Print

Print


The client-side NTLMv2 security enhancements (Stage 2) were a smashing
success.  As a result, all domain-joined workstations are now configured
to use only NTLMv2 or Kerberos protocols for Windows authentication.

Following the failure of the "Stage 1" security tests back in February,
we are continuing to explore our options for strengthening the security
of server-side Windows authentication.  We will contact this list to
communicate any new security testing programs.

-Greg Mackinnon
ETS Systems Architecture and Adminsitration

On 3/7/2011 10:10 PM, J. Greg Mackinnon wrote:
> Stage 2 of NTLMv2-related security changes has gone into effect.  All
> managed workstations in the campus domain will start using, at
> minimum, the NTLMv2 authentication protocol.
>
> Please note that workstations should apply the security change
> immediately following refresh of security policies.  Policy refresh
> takes place at computer startup, and again every hour.  We expect that
> all systems should be using the new policy within one hour of the
> start of business on Tuesday.  As planned previously, the changes will
> be rolled back at the end of business on Tuesday, around 5pm.
>
> Please report unexpected authentication problems to IT-DISCUSS, and we
> will address them as quickly as possible.
>
> -Greg Mackinnon
> ETS Systems Architecture and Adminsitration
>
> On 3/7/2011 9:40 AM, J. Greg Mackinnon wrote:
>> Owing to the severe weather, we have not implemented stage 2 of the
>> tests outlined below.  Low staffing levels at the University would
>> limit the usefulness of the test.
>>
>> Instead, we will delay implementation of the security changes to this
>> evening at 9:30pm, and keep the planned rollback for 5pm tomorrow.
>>
>> -Greg Mackinnon
>> ETS Systems Architecture and Administration
>>
>> On 2/8/2011 12:04 PM, J. Greg Mackinnon wrote:
>>>
>>> In order to increase the security of file sharing protocols commonly
>>> used by workstations on the campus network, we are planning to stage
>>> the following changes to security policy on all Windows computers in
>>> the Campus Active Directory infrastructure:
>>>
>>>     * Stage 2:  Active Directory-joined workstations will be
>>>       configured to use only NTLMv2 or Kerberos authentication
>>>       protocols for connections to all servers, regardless of the
>>>       domain membership of the server being accessed.
>>>
>>>
>>> These changes will alter the way in which computers on the network
>>> interact with traditional Windows file servers, or any other file
>>> server that uses the "CIFS" or "SMB" protocol (such as Samba
>>> servers).  While we believe that all core ETS servers will accept
>>> these changes without problems, there is the possibility that
>>> servers outside of ETS management will not be compatible with the
>>> new security settings.  To help identify and fix these outlying
>>> systems, we plan the following phased implementation of the new
>>> security settings:
>>>
>>>
>>> Implementation of stage two will follow this schedule:
>>>
>>>     * At 9:30pm on Sunday, March 6^th , domain-joined workstations
>>>       will have NTLM and LM authentication protocols disabled.
>>>     * The policy change will be rolled back at 5pm on Tuesday, March
>>>       8^th .
>>>     * If no unresolvable problems are reported at a result of the
>>>       tests, the policy change will be re-applied on Sunday evening,
>>>       March 13^th .
>>>     * If we are unable to resolve authentication problems before
>>>       March 13^th , we will continue to work with problem systems
>>>       and announce a second policy trial at a later date.
>>>
>>>
>>> -J. Greg Mackinnon
>>>
>>> ETS Systems Architecture and Administration
>>>
>>> x68251
>>>