Hacker News new | past | comments | ask | show | jobs | submit login

> You have to specifically enable it on newest Windows platforms, because afaik it has been disabled by default for some 5+ years now.

No you don't have to specifically enable it, it's still enabled (by default).

Completely disabling NTLM on a network would be a large project and not even Microsoft recommend that because the security gains are relatively small.

(See microsoft.com/pth for their comprehensive credential security guidance)




By default, Kerberos will fail back to NTLM when:

* Authenticating against a pre-NT 4.0 server * Accessing a domain resource via IP * Accessing a resource on a non-domain member * Accessing a resource on a computer that does not support Kerberos (Windows 3.11, Windows 95, etc.)

It's trivial to force this downgrade on most domains.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: