努力摆脱ADL环境中的NTLM V1登录;发现很多事件,几乎全部来自用户“匿名登录”(4624事件)其他1(4624个事件)百分比来自一些用户.所以,我在这里有一些问题.
>禁用“匿名登录”(通过GPO安全设置)或阻止“NTLM V1”连接是否更好?其中一个或两个都有什么风险?这些登录事件主要来自其他Microsoft成员服务器. >匿名登录是否100%使用“NTLM V1”?即如果我看到匿名登录,我可以假设它肯定使用NTLM V1吗? >匿名登录事件540和4624之间究竟有什么区别? – >注意:功能级别为2008 R2
如果需要任何其他信息,请告诉我.
你提出的问题是,“禁用”匿名登录“(通过GPO安全设置)或阻止”NTLM V1“是否更好,这不是一个非常好的问题,因为这两件事并不相互排斥.你可以做到这两点,既不是,也不只是一个,也有不同的程度.这里有很多灰色阴影,你不能把它浓缩成黑色和白色.
禁用NTLMv1通常是个好主意.它通过LmCompatibilityLevel注册表设置或通过组策略完成.请注意,相同的设置具有略微不同的行为,具体取决于计算机是域控制器还是域成员.
http://technet.microsoft.com/en-us/library/cc960646.aspx
这里禁用NTLMv1的潜在风险是破坏了与非常旧的Windows客户端的向后兼容性,更有可能与不使用NTLMv2的非Microsoft客户端相悖.你必须测试那些.任何合理的现代和修补版本的Windows都将处理具有零问题的会话安全性的NTLMv2(我们说的是任何Server 2000或更好的东西.)
禁用匿名登录完全是另一回事.您可以禁用匿名用户枚举共享,SAM帐户,注册表项,所有这些内容或所有内容或组合的功能.您限制匿名登录的次数越多,您就会假设增加安全状态,同时失去易用性和便利性. (例如,您的用户可能无法枚举服务器上的文件或打印机共享等)
所以你无法真正说出哪一个更好.它们是两种不同的机制,可以完成两种截然不同的事情.
事件540特定于“网络”登录,例如通过网络连接到共享文件夹或打印机的用户.它也是Win 2003风格的事件ID.你可以说,因为它只有3位数. Vista / 2008中的相应事件被转换为4位数ID:
Eric Fitzgerald said: I’ve written twice (here and here) about the relationship between the “old” event IDs (5xx-6xx) in WS03 and earlier versions of Windows,and between the “new” security event IDs (4xxx-5xxx) in Vista and beyond.
In short,EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03.
The exceptions are the logon events. The logon success events (540, 528) were collapsed into a single event 4624 (=528 + 4096). The logon failure events (529-537,539) were collapsed into a single event 4625 (=529+4096).
Other than that,there are cases where old events were deprecated (IPsec IIRC),and there are cases where new events were added (DS Change). These are all new instrumentation and there is no “mapping” possible- e.g. the new DS Change audit events are complementary to the old DS Access events; they record something different than the old events so you can’t say that the old event xxx = the new event yyy because they aren’t equivalent. The old event means one thing and the new event means another thing; they represent different points of instrumentation in the OS,not just formatting changes in the event representation in the log.
Of course I explained earlier why we renumbered the events,and (in the same place) why the difference is “+4096” instead of something more human-friendly like “+1000”. The bottom line is that the event schema is different,so by changing the event IDs (and not re-using any),we force existing automation to be updated rather than just misinterpreting events when the automation doesn’t know the version of Windows that produced the event. We realized it would be painful but it is nowhere near as painful as if every event consumer had to be aware of,and have special casing for,pre-Vista events and post-Vista events with the same IDs but different schema.
So if you happen to know the pre-Vista security events,then you can quickly translate your existing knowledge to Vista by adding 4000, adding 100,and subtracting 4. You can do this in your head.
However if you’re trying to implement some automation,you should avoid trying to make a chart with “=Vista” columns of event ID numbers,because this will likely result in mis-parsing one set of events,and because you’ll find it frustrating that there is not a 1:1 mapping (and in some cases no mapping at all).
Eric
http://blogs.msdn.com/b/ericfitz/archive/2009/06/10/mapping-pre-vista-security-event-ids-to-security-event-ids-in-vista.aspx
(编辑:ASP站长网)
|