Learning Guide: Authentication
Authentication is a critical component of a secure Windows infrastructure, but without proper hardening, authentication can quickly become a target for hackers and crackers. In this SearchWindowsSecurity.com
guide you'll find overviews of authentication credentials and protocols, and in-depth expert advice on hardening authentication for user logon, remote access, wireless access and Web servers.
TABLE OF CONTENTS
Avoid weak authentication: LM, NTLM, NTLMv2
Seek strong authentication: Kerberos
Harden user logon
Harden remote access authentication
Harden wireless authentication
Harden Web server authentication
Authentication is the process of determining whether someone is in fact who he or she claims to be. In Windows, authentication is required for logon credentials and access to network resources in most systems above NT 4.0.
In private and public computer networks, including the Internet, authentication is commonly done through logon passwords. Other commonly used credentials include passphrases, smart cards, PIN numbers, tokens, biometrics and certificates.
In Roberta Bragg's book, Hardening Windows Systems, she explains that authentication In Windows systems is accomplished by providing an account name and credentials that match the information stored in an account database. Possession of the necessary credentials enables both authorized and unauthorized individuals to access a system. Authorization – different from authentication – is what you can do on a system once you have been authenticated.
The following sections will take you through protocols and methods to help ensure your authentication processes are secure.
NTLM (NT LAN Manager) is a challenge/response form of authentication that was the default network authentication protocol in Windows NT 4.0. It's also used in Windows 2000 for compatibility with earlier Windows versions and to authenticate logons to standalone computers. NTLM was developed for trusted network computing -- not commonly found today -- and supports three forms of authentication that are often targets for attack:
- LM is the least secure form, and it is used to connect Windows 2000 Professional in share level security mode to file shares on Windows 95 and 98 computers.
- NTLMv1 is more secure than LM, and it is used for Windows 2000 Professional computers to connect to Windows NT domain servers where all controllers are upgraded to Service Pack 3 or earlier.
- NTLMv2 is the most secure of the three, and it is used for Windows 2000 Professional computers to connect to Windows NT domain servers where all controllers are upgraded to Service Pack 4 or later.
Since the days of Windows NT, Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM. See the next section for details.
If you haven't upgraded, the following resources will help you harden Windows against NTLM and LM weaknesses.
In Greek mythology Kerberos is a three-headed dog guarding the entrance to the underworld. In Windows terminology, Kerberos refers to the authentication protocol that is now default in enterprise Windows 2000 environments, according to Jan De Clercq's book Windows Server 2003 security infrastructures. Every Windows 2000, Windows XP and Windows Server 2003 OS platform includes a client Kerberos authentication provider. Kerberos is considered a strong authentication protocol -- considerably stronger than NTLM -- and it was designed to thwart many known attacks on authentication systems.
The following resources will help you better understand and maximize Kerberos' usages.
Your own users are often a major cause of authentication weaknesses. Creating a weak password, sharing credentials or writing down private account information are all ways in which sensitive information can be compromised, leading to unauthorized logons and insider hacks. Make sure you have the proper logon policies in place and harden your authentication credentials.
The following resources will help you harden user logon.
Setting up a wireless network may be relatively simple, but without strong authentication you are opening the door to outsiders who can easily gain access to your network. For starters, you can lock down wireless authentication using 802.1x, a group of evolving wireless local area network (WLAN) standards.
The following resources will help you harden authentication for wireless access.
By design, most Web servers are open to the Internet, and therefore susceptible to hackers. Microsoft's Internet Information Server (IIS) needs to be properly configured and hardened according to how the server and its Web sites are used.
The following resources will help you harden authentication for IIS and Web applications.
More Information from SearchWindowsSecurity.com
Get answers to all of your Windows authentication questions. Ask your peers for help in ITKnowledge Exchange or pose questions to Hardening Windows expert Roberta Bragg. Also check out the following resources.
Learning Guide: Access control
Topic Research: Windows NT Server authentication
Topic Research: Windows NT Desktop authentication
Topic Research: Windows 2000 Server authentication
Topic Research: Windows 2000 Professional authentication
Topic Research: Windows Server 2003 authentication
Topic Research: Windows XP Professional authentication