NTLMv1 security issue
aland at deployingradius.com
Fri Jan 18 15:17:22 CET 2019
On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1 at msn.com> wrote:
> I'm trying to set up a FreeRADIUS server for authentication against Active Directory. I followed the guide on deployingradius.com. In order to make everything work I have to set “ntlm auth = yes” in my smb.conf. This should enable NTLMv1 protocol that is well known to be broken. I also know that there is the possibility to set “ntlm auth = mschapv2-and-ntlmv2-only” but that’s not supported on my currently running SAMBA version. So these are my questions:
> - What are the risks that I’m taking if I leave “ntlm auth = yes” on my SAMBA server?
People can use ntlm_auth to talk to Samba. ntlm_auth is insecure, so it's best to avoid it if you can.
> - How can I avoid “ntlm auth = yes” without upgrading SAMBA?
Use one Samba server for "public" access. i.e. people in your local network. Use a different Samba server for FreeRADIUS. And lock the second one down so that it only talks to the first Samba server && FreeRADIUS.
> - If I decide to upgrade SAMBA and set “ntlm auth = mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in some way?
It's a little better, but plain MS-CHAPv2 is still somewhat insecure.
More information about the Freeradius-Users