> From: Jacques A. Vidrine [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 31, 2002 6:15 AM > To: Andreas Hasenack; [EMAIL PROTECTED] > Subject: Re: Paper about kerberos' password security
[...] > Only if the KDC is correctly configured, which it probably is not. > MIT, Heimdal, and Windows 2000 implementations default with no pre- > authentication turned on.[1] Also, even if preauthentication is on, > one can still abuse the TGS exchange to get the material needed for a > dictionary attack, unless the KDC administrator has been careful. [...] > [1] How do you tune W2K to require preauthentication? The Win2K KDC requires preauth by default. It can be configured to selectively NOT require preauth on an account-by-account basis by adding the UF_DONT_REQUIRE_PREAUTH flag to the user's userAccountControl field. The MMC users and computers snapin has a checkbox for this, if memory serves.
