SOLVED Accessing shared network folder FROM Windows 7/8 cannot be done with wrong time

[c627627]

Correct.

Which is more important, to set Win2K higher or to set Win8 registry higher? Isn't changing Win2K default 0 to 4 an improvement?

Is the goal to set both machines to 5?

I have to wait until tomorrow to test as my fam went to bed.

 

[cullam3n]

The goal should be to have both machines at 3 at the minimum.

 

[c627627]

First of all, shocker, Windows 8 with registry mod removed, is able to access Windows 9x/Me.

Remember, it was able to access Win2K machine 1 (but not Win2K machine 2) without reg hack too.


This means that, for some reason, the registry mod is only necessary to actually access Win2K machine 2.

I will now experiment with 3 on it.

 

[cullam3n]

Does Win2k 1 have that registry key in it?

Moreover, it both are patched the same, they should act the same way. There has to be a difference somewhere.

 

[c627627]

Win2K default was 0 on both Win2K machines. I agree that something is different.

But I know that Win2K machine 2 can only be accessed if reg edit is done on Win8 and nothing changed on Win2K. Or if Win2K is set to 4, that also works, but only if Win8 is set to 2.

 

[c627627]

All right, here's the deal, I can set Win2K to 3 or to 4

BUT Win8 can ONLY access [Win2K set to anything, except 5] if Win8 is set to 2.


So the moment you move Win8 up to 3 or higher, you get that password prompt.


Therefore, once again, Win2K can be set to anything except 5 (so why not set it to 4?)


And Windows 8 can only be set to 1 or 2, regardless of what Win2K is set to.


So in these circumstances, I am assuming that Win2K [4] - Win8 [2] combo is best?



Should I change all Win2K machines routinely from their default 0 to 4? Even the ones that work without any mods required? 4 makes them safer, right? So should 4 be part of every Win2K setting?


[P.S. Up there you mentioned that Win2K default is 2, it is actually 0.]

 

[cullam3n]

Odd indeed.

So here is the technical paper on exactly how this protocol works http://msdn.microsoft.com/en-us/library/cc236621.aspx

Quite lengthy but give me some time to go through it. It does say that Windows 7 default is 3 though so I would assume Windows 8 would be the same.

edit: just saw your above post. Yes ideally they should all be set to 3+.

Also random thought. Are they all set to the same time? I believe that NTLMv2 will not work correctly if the time is -+ 30 minutes from each other. (Check to see too if they are on the same time but have different time zones)

And yes I was wrong up there

The default level value for LmCompatibilityLevel for each version of Windows is as follows:
Windows XP: 0
Windows 2003: 2
Vista/2008 3
Win7/2008 R2 3

 

[c627627]

Interesting that re time. EDIT: BINGO it was the time.

Since the machines in question contain nothing important, I would rather have them work than be secure.


I am willing to experiment anything anyone asks, but I am deciding not to change anything on any Win9x/Me/2000 machines.


So the most important question is this: By setting Win8 to 2, does that in any way affect Win8 itself? Is that setting solely for the purpose of accessing OTHER machines.

Meaning, if I make Win8 [2] part of my permanent Win8 image, this would allow connection to rogue Win2K machine, but I don't want to do it if it affects Win8's security in any way, so does it?

 

[cullam3n]

I found that here http://www.websense.com/support/article/kbarticle/How-do-I-Check-NTLM-Version-for-XID-Compatibility

What is the status of those in Win2k machines 1 and 2? Checked or unchecked?

edit: I jumped that gun, I believe that's from WIndows 2008, so that might not be available in 2000.

 

[cullam3n]

So the most important question is this: By setting Win8 to 2, does that in any way affect Win8 itself? Is that setting solely for the purpose of accessing OTHER machines.

Meaning, if I make Win8 [2] part of my permanent Win8 image, this would allow connection to rogue Win2K machine, but I don't want to do it if it affects Win8's security in any way, so does it?

Technically speaking, it is affecting WIn8 security. You are saying that regardless of anyone sending a LM/NTLM/NTLMv2 challenge or request to you, you are sending an NTLM response back, not NTLMv2. I don't think option 2 uses NTLMv2 if negotiated either.

The depth of this subject is new to me, so I apologize for making any mistakes

 

[c627627]

I understand.

This is good because if there is any doubt, the solution is simple.


Some, but not all older machines will ask for password when no password was set up, preventing access from Windows 8. If that happens, simply double click on this reg file under Windows 8:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LmCompatibilityLevel"=dword:00000002


Then after finishing file transfer between Windows 8 and older machines, double click on this reg file to delete the added key necessary for file transfer between Windows 8 and older machines:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LmCompatibilityLevel"=-

 

[c627627]

OK OK OK

Hold everything. i just ran Atomic Clock http://www.worldtimeserver.com/atomic-clock/oldversion/atomic.exe to synchronize the system clock on Windows 2000.

and corrected the system clock times, and it worked without any mods. That was the difference between the machines, the clock was off on the problem Win2K machine!


Wow. So basically, this is now a solution that can be resolved under Windows 8 using the registry mod OR by simply MAKING SURE the system clock on the other machine is correct.

 

[cullam3n]

Ah ha! Random thoughts almost always are a good hunch

Knew it had to be a stupid issue like that if both of them are the same. I'm glad you finally have the solution.

 

[c627627]

Yeah, that's incredible that we didn't see this info anywhere else. I just did multiple tests on my quadruple boot.

If the system clock on an older machine is off, then neither Windows 7 nor Windows 8 can access the older machine without a registry mod. Windows Vista CAN do it and of course Windows XP and older also can without any registry modifications.


Thank you cullam3n, you guessed it!

 

[cullam3n]

You have already solved the problem, so the following is just gee-whiz information. Being the curious person I am, I went and pulled a few excerpts from the white paper I linked above that are relevant.

If NTLM v2 authentication is used and the
AUTHENTICATE_MESSAGE.NtChallengeResponse.TimeStamp (section 2.2.2.7) is more than
MaxLifetime (section 3.1.1.1) difference from the server time, then the server SHOULD return a
failure.<64>

If NTLM v2 authentication is used, the client SHOULD send the timestamp in the
CHALLENGE_MESSAGE. <42>

Timestamp in NTLM2

TimeStamp (8 bytes): A 64-bit unsigned integer that contains the current system time,
represented as the number of 100 nanosecond ticks elapsed since midnight of January 1,
1601 (UTC).

MaxLifetime

MaxLifetime: An integer that indicates the maximum lifetime for challenge/response pairs.<35>

<35> Section 3.1.1.1: In Windows NT 4.0 and Windows 2000, the maximum lifetime for the
challenge is 30 minutes. In Windows XP, Windows Server 2003, Windows Vista, Windows
Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012, the
maximum lifetime is 36 hours.