The client-side NTLMv2 security enhancements (Stage 2) were a smashing success.  As a result, all domain-joined workstations are now configured to use only NTLMv2 or Kerberos protocols for Windows authentication.

Following the failure of the "Stage 1" security tests back in February, we are continuing to explore our options for strengthening the security of server-side Windows authentication.  We will contact this list to communicate any new security testing programs.

-Greg Mackinnon
ETS Systems Architecture and Adminsitration

On 3/7/2011 10:10 PM, J. Greg Mackinnon wrote:
[log in to unmask]" type="cite"> Stage 2 of NTLMv2-related security changes has gone into effect.  All managed workstations in the campus domain will start using, at minimum, the NTLMv2 authentication protocol. 

Please note that workstations should apply the security change immediately following refresh of security policies.  Policy refresh takes place at computer startup, and again every hour.  We expect that all systems should be using the new policy within one hour of the start of business on Tuesday.  As planned previously, the changes will be rolled back at the end of business on Tuesday, around 5pm.

Please report unexpected authentication problems to IT-DISCUSS, and we will address them as quickly as possible. 

-Greg Mackinnon
ETS Systems Architecture and Adminsitration

On 3/7/2011 9:40 AM, J. Greg Mackinnon wrote:
[log in to unmask]" type="cite"> Owing to the severe weather, we have not implemented stage 2 of the tests outlined below.  Low staffing levels at the University would limit the usefulness of the test.

Instead, we will delay implementation of the security changes to this evening at 9:30pm, and keep the planned rollback for 5pm tomorrow.

-Greg Mackinnon
ETS Systems Architecture and Administration

On 2/8/2011 12:04 PM, J. Greg Mackinnon wrote:
[log in to unmask]" type="cite">

In order to increase the security of file sharing protocols commonly used by workstations on the campus network, we are planning to stage the following changes to security policy on all Windows computers in the Campus Active Directory infrastructure:

  • Stage 2:  Active Directory-joined workstations will be configured to use only NTLMv2 or Kerberos authentication protocols for connections to all servers, regardless of the domain membership of the server being accessed.


These changes will alter the way in which computers on the network interact with traditional Windows file servers, or any other file server that uses the "CIFS" or "SMB" protocol (such as Samba servers).  While we believe that all core ETS servers will accept these changes without problems, there is the possibility that servers outside of ETS management will not be compatible with the new security settings.  To help identify and fix these outlying systems, we plan the following phased implementation of the new security settings:


Implementation of stage two will follow this schedule:

  • At 9:30pm on Sunday, March 6th, domain-joined workstations will have NTLM and LM authentication protocols disabled. 
  • The policy change will be rolled back at 5pm on Tuesday, March 8th.
  • If no unresolvable problems are reported at a result of the tests, the policy change will be re-applied on Sunday evening, March 13th.
  • If we are unable to resolve authentication problems before March 13th, we will continue to work with problem systems and announce a second policy trial at a later date.


-J. Greg Mackinnon

ETS Systems Architecture and Administration

x68251