Learning Guide: Authentication

Robyn Lorusso, Editor,

Robyn Lorusso, Editor Authentication is a critical component of a secure Windows infrastructure, but without proper hardening, authentication can quickly become a target for hackers and crackers. In this guide you'll find overviews of authentication credentials and protocols, and in-depth expert advice on hardening authentication for user logon, remote access, wireless access and Web servers.

   Authentication basics
   Avoid weak authentication: LM, NTLM, NTLMv2
   Seek strong authentication: Kerberos
   Harden user logon
   Harden remote access authentication
   Harden wireless authentication
   Harden Web server authentication

  Authentication Basics Return to Table of Contents

Authentication is the process of determining whether someone is in fact who he or she claims to be. In Windows, authentication is required for logon credentials and access to network resources in most systems above NT 4.0.

In private and public computer networks, including the Internet, authentication is commonly done through logon passwords. Other commonly used credentials include passphrases, smart cards, PIN numbers, tokens, biometrics and certificates.

In Roberta Bragg's book, Hardening Windows Systems, she explains that authentication In Windows systems is accomplished by providing an account name and credentials that match the information stored in an account database. Possession of the necessary credentials enables both authorized and unauthorized individuals to access a system. Authorization – different from authentication – is what you can do on a system once you have been authenticated.

The following sections will take you through protocols and methods to help ensure your authentication processes are secure.

  Avoid Weak Authentication: LM, NTLM, NTLMv2 Return to Table of Contents

NTLM (NT LAN Manager) is a challenge/response form of authentication that was the default network authentication protocol in Windows NT 4.0. It's also used in Windows 2000 for compatibility with earlier Windows versions and to authenticate logons to standalone computers. NTLM was developed for trusted network computing -- not commonly found today -- and supports three forms of authentication that are often targets for attack:

  • LM is the least secure form, and it is used to connect Windows 2000 Professional in share level security mode to file shares on Windows 95 and 98 computers.
  • NTLMv1 is more secure than LM, and it is used for Windows 2000 Professional computers to connect to Windows NT domain servers where all controllers are upgraded to Service Pack 3 or earlier.
  • NTLMv2 is the most secure of the three, and it is used for Windows 2000 Professional computers to connect to Windows NT domain servers where all controllers are upgraded to Service Pack 4 or later.

Since the days of Windows NT, Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM. See the next section for details.

If you haven't upgraded, the following resources will help you harden Windows against NTLM and LM weaknesses.

  Seek Strong Authentication: Kerberos Return to Table of Contents

In Greek mythology Kerberos is a three-headed dog guarding the entrance to the underworld. In Windows terminology, Kerberos refers to the authentication protocol that is now default in enterprise Windows 2000 environments, according to Jan De Clercq's book Windows Server 2003 security infrastructures. Every Windows 2000, Windows XP and Windows Server 2003 OS platform includes a client Kerberos authentication provider. Kerberos is considered a strong authentication protocol -- considerably stronger than NTLM -- and it was designed to thwart many known attacks on authentication systems.

The following resources will help you better understand and maximize Kerberos' usages.

  Harden User Logon Return to Table of Contents

Your own users are often a major cause of authentication weaknesses. Creating a weak password, sharing credentials or writing down private account information are all ways in which sensitive information can be compromised, leading to unauthorized logons and insider hacks. Make sure you have the proper logon policies in place and harden your authentication credentials.

The following resources will help you harden user logon.

  Harden Remote Access Authentication Return to Table of Contents

Whether you're working with Routing and Remote Access Server (RRAS) or trying to configure Internet Authentication Services (IAS), steps can be taken to protect remote access authentication from being compromised by man-in-the-middle attacks or unauthorized logins.

The following resources will help you harden remote access authentication in Windows 2003, XP and 2000.

  Harden Wireless Authentication Return to Table of Contents

Setting up a wireless network may be relatively simple, but without strong authentication you are opening the door to outsiders who can easily gain access to your network. For starters, you can lock down wireless authentication using 802.1x, a group of evolving wireless local area network (WLAN) standards.

The following resources will help you harden authentication for wireless access.

  Harden Web Server Authentication Return to Table of Contents

By design, most Web servers are open to the Internet, and therefore susceptible to hackers. Microsoft's Internet Information Server (IIS) needs to be properly configured and hardened according to how the server and its Web sites are used.

The following resources will help you harden authentication for IIS and Web applications.

More Information from

Get answers to all of your Windows authentication questions. Ask your peers for help in ITKnowledge Exchange or pose questions to Hardening Windows expert Roberta Bragg. Also check out the following resources.

Learning Guide: Access control
Topic Research: Windows NT Server authentication
Topic Research: Windows NT Desktop authentication
Topic Research: Windows 2000 Server authentication
Topic Research: Windows 2000 Professional authentication
Topic Research: Windows Server 2003 authentication
Topic Research: Windows XP Professional authentication

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: