RE: XP password and encryption

["David Gillett" <gillettdavid () fhda edu>]

1)  I think this has pretty much been covered.  Pro is that you're
protected from inherent flaws in NTLM.  Con is that you're protected
from communicating with machines that still have to rely on NTLM.

2)  The normal way to configure this is to set servers to require
it of all clients, and clients to use it whenever connecting to a 
server that permits it -- this allows clients to still talk to
legacy servers as necessary.
  In transport mode, IPSEC encrypts the contents of packets, but
not the layer 3 headers.  If your original concern was about 
someone sniffing an exchange of hashes, this would both additionally
secure them, and submerge them in a mass of encrypted traffic where 
picking out the packets of interest would be more challenging.

3)  It's not.  Assigning IP addresses is going to be up to whoever
provides the network routers, and those would have to both (a)
support IPv6, and (b) be configured to use it.  Of course, most
won't bother until they can safely assume that the critical mass
of client hosts also support it -- including it in XP helps bring
that day a little closer.

David Gillett


> -----Original Message-----
> From: J. Yoon [mailto:supercool9000 () hotmail com]
> Sent: January 6, 2004 04:28
> To: security-basics () securityfocus com
> Subject: RE: XP password and encryption
>
>
>
> 1) What are the pro's and con's of turning off NTLM on my XP box?
>
> 2) Aside from the obvious, what does IPSEC encryption do to 
> make things more 
> secure?
>     For example, which layers does this protocol work at and 
> could it ever 
> interfere with any existing settings/applications due to backward 
> compatibility issues?
>
> 3) IPv6's supposedly the solution to the "running out of IP addresses 
> problem". Sorry if this is a dumb Q, but if the job of 
> assigning IP addy's 
> is upto the authorities... how exactly is IPv6 configurable / 
> useful to avg 
> joe users like you and me...
> For example, I think I saw references to IPv6 within XP 
> control-panel / 
> network settings
> what exactly can we do with it?
>
>
> > Note that you also have the option of requiring
> > IPSEC encryption of all local client/server traffic, and 
> this too is a good 
> > thing.
> >
> > 3/a/b)  Check out Kerberos; it might be able to do what you want.
>
> _________________________________________________________________
> Take advantage of our limited-time introductory offer for 
> dial-up Internet 
> access. http://join.msn.com/?page=dept/dialup
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get 
> $720 off any 
> course! All of our class sizes are guaranteed to be 10 
> students or less. 
> We provide Ethical Hacking, Advanced Ethical Hacking, 
> Intrusion Prevention, 
> and many other technical hands on courses. 
> Visit us at http://www.infosecinstitute.com/securityfocus to 
> get $720 off 
> any course!  
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------