• Login
• Become a member
• RSS
• Part of the TechTarget network

---

Authentication is a critical component of a secure Windows infrastructure, but without proper hardening, authentication can quickly become a target for hackers and crackers. In this SearchWindowsSecurity.com guide you'll find overviews of authentication credentials and protocols, and in-depth expert advice on hardening authentication for user logon, remote access, wireless access and Web servers.

TABLE OF CONTENTS
   Authentication basics
   Avoid weak authentication: LM, NTLM, NTLMv2
   Seek strong authentication: Kerberos
   Harden user logon
   Harden remote access authentication
   Harden wireless authentication
   Harden Web server authentication

Authentication Basics

Return to Table of Contents

Authentication is the process of determining whether someone is in fact who he or she claims to be. In Windows, authentication is required for logon credentials and access to network resources in most systems above NT 4.0.

In private and public computer networks, including the Internet, authentication is commonly done through logon passwords. Other commonly used credentials include passphrases, smart cards, PIN numbers, tokens, biometrics and certificates.

In Roberta Bragg's book, Hardening Windows Systems, she explains that authentication In Windows systems is accomplished by providing an account name and credentials that match the information stored in an account database. Possession of the necessary credentials enables both authorized and unauthorized individuals to access a system. Authorization – different from authentication – is what you can do on a system once you have been authenticated.

The following sections will take you through protocols and methods to help ensure your authentication processes are secure.

Avoid Weak Authentication: LM, NTLM, NTLMv2

Return to Table of Contents

NTLM (NT LAN Manager) is a challenge/response form of authentication that was the default network authentication protocol in Windows NT 4.0. It's also used in Windows 2000 for compatibility with earlier Windows versions and to authenticate logons to standalone computers. NTLM was developed for trusted network computing -- not commonly found today -- and supports three forms of authentication that are often targets for attack:

• LM is the least secure form, and it is used to connect Windows 2000 Professional in share level security mode to file shares on Windows 95 and 98 computers.
  
• NTLMv1 is more secure than LM, and it is used for Windows 2000 Professional computers to connect to Windows NT domain servers where all controllers are upgraded to Service Pack 3 or earlier.
• NTLMv2 is the most secure of the three, and it is used for Windows 2000 Professional computers to connect to Windows NT domain servers where all controllers are upgraded to Service Pack 4 or later.

Since the days of Windows NT, Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM. See the next section for details.

If you haven't upgraded, the following resources will help you harden Windows against NTLM and LM weaknesses.

• Checklist: Remove LM hashes and move to NTLM to harden authentication
• Expert Response: Why you need to eliminate LM hashes
• White Paper: Admin checklist for hardening Microsoft Windows NT
• White Paper: Admin checklist for hardening Windows 2000

Seek Strong Authentication: Kerberos

Return to Table of Contents

In Greek mythology Kerberos is a three-headed dog guarding the entrance to the underworld. In Windows terminology, Kerberos refers to the authentication protocol that is now default in enterprise Windows 2000 environments, according to Jan De Clercq's book Windows Server 2003 security infrastructures. Every Windows 2000, Windows XP and Windows Server 2003 OS platform includes a client Kerberos authentication provider. Kerberos is considered a strong authentication protocol -- considerably stronger than NTLM -- and it was designed to thwart many known attacks on authentication systems.

The following resources will help you better understand and maximize Kerberos' usages.

• Book Excerpt: Kerberos advantages
• Book Excerpt: Kerberos: The basic protocol
• Book Excerpt: Logging on to Windows using Kerberos: Single domain environment
• Book Excerpt: Logging on to Windows using Kerberos: Multiple domain environment
• Book Excerpt: Logging on to Windows using Kerberos: Multiple forest logon process
• Book Excerpt: Advanced Kerberos topics: Delegation of authentication
• Book Excerpt: Advanced Kerberos topics: From authentication to authorization
• Book Excerpt: Advanced Kerberos topics: Kerberized applications
• Book Excerpt: Kerberos configuration
• Book Excerpt: Kerberos and authentication troubleshooting
• Book Excerpt: Kerberos interoperability
• White Paper: Windows 2000 RSVP/Kerberos user authentication interoperability

Harden User Logon

Return to Table of Contents

Your own users are often a major cause of authentication weaknesses. Creating a weak password, sharing credentials or writing down private account information are all ways in which sensitive information can be compromised, leading to unauthorized logons and insider hacks. Make sure you have the proper logon policies in place and harden your authentication credentials.

The following resources will help you harden user logon.

• Checklist: Hardening user passwords
• Checklist: Key control settings to harden password authentication
• Checklist: Seven steps to properly set account lockout
• Checklist: Restrict access to prevent insider hacks
• Tip: Password policy considerations
• Tip: Windows password creation
• Tip: Password authentication and protection
• Tip: Centrally tracking user logon attempts
• Tip: How to crack a password
• Expert Response : Passphrases vs. Passwords
• Expert Response: Are Windows 2000 server passwords checked against a flat file?
• Expert Response: Bypassing the logon password on Windows 2000 Pro
• Expert Response: How can I set a legal notice to appear at logon?
• Expert Response: Disabling the default Windows password filter
• Expert Response: Installing Certification Authority on a domain controller?
• Expert Response: Best security practices for creating/changing user names/IDs
• White Paper: Windows 2000 and NT logon security

Harden Remote Access Authentication

Return to Table of Contents

Whether you're working with Routing and Remote Access Server (RRAS) or trying to configure Internet Authentication Services (IAS), steps can be taken to protect remote access authentication from being compromised by man-in-the-middle attacks or unauthorized logins.

The following resources will help you harden remote access authentication in Windows 2003, XP and 2000.

• Tip: Preventing access to your LAN
• Tip: Simple VPN authentication choices
• Expert Response: How to block a non-company laptop from infecting the network
• Expert Response: Using RRAS and NAT to share Internet access and restrict user logon duration
• Expert Response: Using Group Policy to specify Remote Desktop permissions
• Book Excerpt: How network access quarantine works
• Book Excerpt: Six steps for deploying Network Access Quarantine Control
• Book Excerpt: VPN design issues for L2TP/IPSec
• Book Excerpt: VPN protocol choices
• Book Excerpt: PPTP
• Book Excerpt: L2TP/IPSec
• Book Excerpt: L2TP over IPSec and NAT -- NAT-traversal
• White Paper: RADIUS protocol security and best practices
• White Paper: Using IPsec in Windows 2000 and XP
• White Paper: Deploying Windows Server 2003 IAS with VLANs
• White Paper: Internet Authentication Service for Windows 2000
• White Paper: Enterprise deployment of wireless and remote access with Internet Authentication Service
• White Paper: How to build secure LANs with IPSec

Harden Wireless Authentication

Return to Table of Contents

Setting up a wireless network may be relatively simple, but without strong authentication you are opening the door to outsiders who can easily gain access to your network. For starters, you can lock down wireless authentication using 802.1x, a group of evolving wireless local area network (WLAN) standards.

The following resources will help you harden authentication for wireless access.

• Article: The most serious challenges in securing wireless networks
• Tip: Five reasons to deploy IPSec policies on your network
• Tip: Best practices for implementing IPSec policies
• Tip: Securing teleworker wireless LANs
• Expert Response: Prevent unauthorized systems from accessing your network with 802.1x
• Expert Response: Prevent being hacked while utilizing Wi-Fi LAN
• Expert Response: Support for Wi-Fi protected access
• Expert Response: Securing a network through wireless APs
• Book Excerpt: Securing wireless communications
• Book Excerpt: Standard wireless security options
• Book Excerpt: Standard wireless security options plus fire walling
• Book Excerpt: Add 802.1x technology
• Book Excerpt: Windows .NET Server wireless network (IEEE 802.11) policies

Harden Web Server Authentication

Return to Table of Contents

By design, most Web servers are open to the Internet, and therefore susceptible to hackers. Microsoft's Internet Information Server (IIS) needs to be properly configured and hardened according to how the server and its Web sites are used.

The following resources will help you harden authentication for IIS and Web applications.

• Tip: IIS authentication methods: What and when
• Tip: HTTP basic authentication
• Tip: Heads up on Web-based certificate mapping
• Tip: How to estimate number of anonymous users on a Web site
• Expert Response: How to restrict access to certain sections of our company's intranet
• Expert Response: Security measures to take with PSTN connections
• Expert Response: Pros and cons of using a proxy server
• Expert Response: How to secure OWA access over the Internet
• Expert Response: Implementing system/account delegation within an application built using ASP.NET
• White Paper: Technical overview of Internet Information Services (IIS) 6.0
• White Paper: Securing IIS: How to implement a secure IIS Web server
• White Paper: Security in the Microsoft .NET framework
• White Paper: Security at the next level: Are your Web applications vulnerable?
• White Paper: Application security challenges and solutions

---

More Information from SearchWindowsSecurity.com

Get answers to all of your Windows authentication questions. Ask your peers for help in ITKnowledge Exchange or pose questions to Hardening Windows expert Roberta Bragg. Also check out the following resources.

Learning Guide: Access control
Topic Research: Windows NT Server authentication
Topic Research: Windows NT Desktop authentication
Topic Research: Windows 2000 Server authentication
Topic Research: Windows 2000 Professional authentication
Topic Research: Windows Server 2003 authentication
Topic Research: Windows XP Professional authentication

---

Join the conversationComment

All Rights Reserved,Copyright 2008 - 2013, TechTarget