Network security: minimum session security for NTLM SSP based (including secure or RPC) servers

This Page is locked
Modified: 2008/01/13 16:17 by Randy Franklin Smith - Uncategorized
This value impacts applications, from the point of view of the server, that use the NTLM SSP or secure RPC and specifies session security requirements for communication between the client and server.
Hex valueCheck boxMeaning
0x0None checkedNone. No security is used for session security.
0x10Require message integrityMessage integrity. If the value of either this entry or the NtlmMinClientSec entry is 0x10, then the connection will fail unless message integrity is negotiated.
0x20Require message confidentialityMessage confidentiality. If the value of either this entry or the NtlmMinClientSec entry is 0x20, then the connection will fail unless message confidentiality is negotiated.
0x80000Require NTLMv2 session securityNTLMv2 session security. If the value of either this entry or the NtlmMinClientSec entry is 0x80000, then the connection will fail unless NTLMv2 session security is negotiated.
0x20000000Require 128-bit encryption128-bit encryption. If the value of either this entry or the NtlmMinClientSec entry is 0x20000000, then the connection will fail unless 128-bit encryption is negotiated

As best I can tell, this setting will primarily impact secure RBC communications such as between Outlook and Exchange when authenticating via NTLM.

Unanswered questions: how do these settings affect SMB traffic or do they? Do these setting apply to all RPC traffic, only secure RPC traffic or just secure RPC traffic authenticated via NTLM instead of Keberos? How do these setting affect traffic sent via the Kerberos SSP? If they don’t, how do you set similar requirements for Kerberos SSP?

Underlying registry key and value

NtlmMinServerSec HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

Data typeRangeDefault value
REG_DWORD0x0 | 0x10 | 0x20 | 0x80000 | 0x200000000x0

Excellent sources for more information on NTLM: http://davenport.sourceforge.net/ntlm.html by Eric Glass and http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/

More resources


Additional Links

A
D
V

Sick of LimitLogin? Get UserLock for real logon control

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. Terms and conditions.