If a client provides a LANMAN and an NTLM hash, only the NTLM hash is used unless the QZLSPWDANY$ share exists (or NetServer is configured to allow LANMAN authentication). This is because the NTLM hash is more secure. If only a LANMAN hash is provided (as was done by Windows 9x), that hash is used. NetServer does not support LMv2 hashes; therefore, LMV2 always fails. NTLM and NTLMv2 hashes are always accepted (with the restrictions in the table above) unless NetServer is configured for Kerberos-only authentication.
The QPWDLVL of the system does not affect the hashes that NetServer can accept. The thing that it does do is make the NTLM style hashes work with mixed-case Windows passwords. This is possible with QPWDLVL 2 and 3 because the system password can be mixed-case.
NetServer does not indicate to Windows to send a specific type of encryption. The only thing the server tells the client during the Negotiate is if extended security is supported by the server. The client will then try to negotiate whether to use Kerberos or password hashes. At no point does NetServer tell the client what form of password hash to use nor is there any way that NetServer could tell the client what form to use.
Also find : ms lan manager
No comments:
Post a Comment