0

Setup

We're running a Win2k3 network with mostly XP clients, one Win2k client, and two Win98 clients.

Question * 1.5

If we ditch our two Win98 clients, replacing them with XP clients, which exact features can we disable on the server, what benefits are there, and how do we disable them 'properly' so as to glean said benefits? If we replaced our Win2k client, would that allow us to disable anything else of significance?

Possibly-skippable background info

We've been having general intermittent network issues lately even within the server itself (i.e., from the server to a Linux VM running within the server) so I know there must be some non-hardware factor.

Our Win98 boxen have always randomly dropped connections to our MSSQL server every few days or so, but then been fine immediately after. Lately we're having such problems that PostgreSQL service starts choking and taking down our whole web service--and it has nothing to do with a particular query being run.

One site suggested disabling NetBIOS if you didn't need it. Other sites claimed it wasn't strictly required by Win98, but I think with our particular configuration, it is, because that prevented our Win98 boxen from being able to see our server, even by trying to browse \\1.2.3.4\ (oddly enough, to me, anyway.)

Kev
  • 984
  • 4
  • 23
  • 46
  • I know there are some features you could disable on a Samba server, but I don't know how you would disable them on a Windows server, or if it's even possible. – Brad Gilbert Nov 22 '10 at 14:27

1 Answers1

4

If we ditch our two Win98 clients, replacing them with XP clients, which exact features can we disable on the server, what benefits are there...

How about removing two malware magnets from your network? That's a pretty strong benefit IMO.

You can also force NTLMv2 authentication making it alot tougher to crack your passwords in Active Directory. NetBIOS can go, but that might break some network devices (had a bad experience with some network fax appliance that only used NetBIOS).

As per comment by sysadmin1138:

The LM/NTLM/NTLMv2 policy is set through either the Local Policy MMC, or on a GPO. Down there under "Network Authentication". Yours is probably set to "LM & NTLM, Use NTLMv2 if negotiated". With win98 going away out can set it to "Use NTLMv2 only, deny LM & NTLM", which should tell the DCs (or the servers) to not store the LM hashes after the next password change.

gravyface
  • 13,957
  • 19
  • 68
  • 100
  • The two malware magnets are not used for anything Internet-related. They're just terminals dedicated to an old app of ours. – Kev Nov 22 '10 at 14:54
  • Are they restricted at the firewall from accessing the Internet though? I wouldn't even want them on the same network as my other workstations. – gravyface Nov 22 '10 at 14:58
  • Good point on the fax appliance, I'll have to check ours. It shouldn't break any XP machines or their apps, though, right? – Kev Nov 22 '10 at 14:58
  • It shouldn't, but as with any hardening changes, do one thing at a time, watch the event log and see how it goes for a few days or so before changing anything else. – gravyface Nov 22 '10 at 14:59
  • 1
    Disabling LM and NTLM are the biggest wins by booting the last Win98 machines from your network. Gravyface said it first, and I'm drawing an underline under it. We had to have those turned on for longer than we had Win9x thanks to certain key web-servers running and old enough Samba version to need NTLM support. Later versions support NTLMv2, so when we finally upgraded the web-server we were able to ditch LM and NTLM in the domain. – sysadmin1138 Nov 22 '10 at 14:59
  • @gravyface, I'm not sure, but in this case the culture is pretty strong in keeping people from surfing there. It's meant for 5-second stops in a high-traffic area with two supervisors working right next to it. The other one is similar. – Kev Nov 22 '10 at 15:03
  • So how do you disable them completely? – Kev Nov 22 '10 at 15:04
  • Yeah, it's scary how quickly you can break an NTLM hash (without huge rainbow tables either). – gravyface Nov 22 '10 at 15:04
  • 1
    @Kev The LM/NTLM/NTLMv2 policy is set through either the Local Policy MMC, or on a GPO. Down there under "Network Authentication". Yours is probably set to "LM & NTLM, Use NTLMv2 if negotiated". With win98 going away out can set it to "Use NTLMv2 only, deny LM & NTLM", which should tell the DCs (or the servers) to not store the LM hashes after the next password change. – sysadmin1138 Nov 22 '10 at 15:10
  • Thanks! If I had edit privs I'd consolidate that into gravyface's answer. +1 instead :) – Kev Nov 22 '10 at 15:11
  • @Kev: I'll add that. – gravyface Nov 22 '10 at 15:30
  • This seems to have worked very well! Many thanks! – Kev Nov 30 '10 at 01:26