NTLM and Kerberos

PC Repair Tools

Advanced Registry Cleaner PC Diagnosis and Repair

Get Instant Access

Early Microsoft networking clients utilized LAN Manager authentication to provide user authentication for network access to resources. Windows NT 4.0 evolved from the LAN Manager network operating system. For backward compatibility, Windows NT 4.0 uses a version of LAN Manager authentication known as LAN Manager challenge/response as well as Windows NT challenge/response, known as NTLM for more recent systems. NTLM authentication is significantly stronger than LM authentication. Whether Windows NT is communicating with LM-only systems or systems capable of NTLM authentication, Windows NT will use both authentication methods. SP 4 for Windows NT 4.0 introduced a new version of Windows NT challenge/response authentication known as NTLM v2. Forcing NT 4.0 systems to use NTLM or NTLM v2 significantly increases the difficulty involved in brute-force or dictionary attacks against network password hashes. To take advantage of NTLM v2 authentication or to just disable LM authentication, your Windows NT 4.0 system requires SP 4 to be installed, and a registry modification is also needed.

Cryptographic methods that were once considered strong eventually succumb to Moore's Law. Moore's Law has plotted the pace of technology for more than 25 years. As the power of computing equipment has rapidly increased, so too has the potential to break cryptography that was once considered strong. With advances in hardware capabilities, coupled with the increased availability of cracking tools, LAN Manager authentication encryption is quickly becoming more vulnerable to attack than the newer forms of encryption. LAN Manager authentication should be restricted or eliminated whenever possible. Although

Windows Server 2003 supports all versions of LAN Manager authentication in an effort to provide backward compatibility for clients that do not support newer authentication protocols, LAN Manager authentication is viewed as a security risk to any network.

If you are unable to eliminate LAN Manager authentication from your network, you can increase security by enabling support of NTLMv2 if possible. Password hash values can be removed from the network, resulting in increased network security by eliminating LM and NTLM v1 protocols from your enterprise.You can enable NTLMv2 support by doing the following:

■ Upgrade Windows NT 4.0 clients to a minimum of Service Pack 4 (SP4). SP4 is available via download from the Microsoft Web site at www.microsoft.com.

■ Install the directory services client on all client computers running Windows 95 or Windows 98.The directory services client is available from the Windows Server 2003 operating system CD.

■ Tighten the LAN Manager authentication policies used on your network. It is preferred to set Domain Group Policy for LAN Manager Authentication Level to Send NTLMv2 response only\refuse LM & NTLM.This policy is configured through the Microsoft Group Policy Management Console under Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.

Note_

The LAN Manager authentication protocol is considered weak because of the method used to encrypt the password. If a password is fewer than seven characters long, breaking down the LAN Manager protocol to extract the clear-text password is simplified because the last half of the LM hash follows the same predictable pattern. Hackers know and exploit this weakness. Programs exist for extracting the LM hash and decrypting it. The best practice, if possible, is to not use LM authentication and to not store the LM hash.

NTLM v2 is the preferred authentication protocol for older Microsoft clients.The preferred authentication mechanism for modern Microsoft network designs revolves around the use of Kerberos. Kerberos authentication, originally designed and developed by the Massachusetts Institute of Technology (MIT) as a solution to the problems associated with authenticating clients over untrusted and insecure network infrastructure, uses a three-headed approach to authentication. Clients, servers, and an intermediary server known as a Key Distribution Center (KDC) form the authentication infrastructure, mimicking the three-headed Kerberos of Greek mythology. Client/server communication is verified for authenticity, and timestamp techniques are used to circumvent the possibility of replay attacks.

Microsoft's selection of the open-standard Kerberos provides for limited interoperability with other, non-Microsoft operating systems.The interoperability is limited because Microsoft's interpretation of the open standard and a decision to send authorization information embedded in the Kerberos traffic cause the use of non-Microsoft operating systems to provide limited functionality compared to an all-Microsoft environment. It is possible to authenticate Linux, UNIX, and Mac OS X clients against Active Directory through the Kerberos protocol, providing for simplified network management in just such a heterogeneous environment.Table 4.6 illustrates the available authentication mechanisms for various Microsoft client operating systems.

Table 4.6 Authentication Mechanisms for Various Microsoft Client Operating Systems

Operating System

LAN Manager NTLM v1

NTLM v2

Kerberos

Windows 9x

Yes

Yes w/DS Client

Yes w/ DS

No

Client

Windows NT 4.0

Yes

Yes

Yes - SP 4

No

or higher

Windows 2000

Yes

Yes

Yes

Yes

Windows XP/2003

Yes

Yes

Yes

Yes

A chain is only as strong as its weakest link, and a network is only as secure as its weakest cryptographic-sensitive network traffic. Consequently, if your environment contains clients that cannot authenticate via the preferred Kerberos system, your network security will be diminished through the use of weaker NTLM or LM authentication traffic. As mentioned previously, Windows 95, Windows 98, and Windows NT 4.0 clients will utilize the weaker LM or NTLM v1 authentication protocol unless specific measures are taken. Windows 95 and Windows 98 clients require the installation of the Active Directory Client Extensions as well as registry modification to force NTLM v2 authentication. Windows NT 4.0 clients require a minimum of SP 4 (SP 6a is preferred) as well as installation of the Active Directory Client Extensions and registry modifications to force NTLM v2 authentication. Again, Windows 2000, Windows Server 2003, and Windows XP clients rely on Kerberos authentication in an Active Directory environment by default.

Configuring & Implementing...

Forcing Clients to Use NTLM v2 Authentication

Since Windows Server 2003 was designed to support legacy clients, the weakness of legacy client authentication protocols is a valid concern. In this exercise, we modify the registry to force NTLM v2 authentication, as opposed to the weaker LAN Manager or NTLM v1 authentication. This configuration should be applied to Windows 9x systems or Windows NT 4.0 systems with Service Pack 4 or newer applied. The Active Directory Client Extensions should also be installed.

1. Install the Microsoft Active Directory Client Extensions (available from the Windows 2000 Server CD-ROM).

2. From the Windows 98 client system, select Start | Run | and type regedit, then click OK.

3. Create an LSA registry key in the following registry key: HKEY_LOCAL_MACHINE | System | CurrentControlSet | Control | LSA, as shown in Figure 4.3.

Figure 4.3 Using the Registry Editor to Force NTLM v2

Authentication

Figure 4.3 Using the Registry Editor to Force NTLM v2

Authentication

4. From the menu bar, select Edit | New | DWORD value, and then enter the following information:

■ Value Name: LMCompatibility

Continued

■ Data Type: REG_DWORD

■ Value: 3 (valid range is 0-3)

5.

Adjusting the lmcompatibilitylevel registry key controls the type of challenge/response authentication that will be used. Table 4.7 lists the possible settings for the lmcompatibilitylevel registry key.

Table 4.7

Possible Registry Settings for the IMCompatibilitylevel Registry Key

Registry Key Value Effect of Registry Setting

Level 0

Send LM response and NTLM response; never use NTLM v2 session security

Level 1

Use NTLM v2 session security if negotiated

Level 2

Send NTLM authentication only

Level 3

Send NTLM v2 authentication only

Level 4

DC refuses LM authentication

Level 5

DC refuses LM and NTLM authentication (accepts only NTLM v2)

6.

Adjusting the registry value to 3 will force the client to use only NTLM v2.

Warning_

Incorrect use of the Registry Editor may cause serious problems that could require a reinstall of your operating system. Use the Registry Editor at your own risk.

Since we now have a better understanding of client operating systems supported in Windows Server 2003 and the benefits and drawbacks of each, it's time to move our sights from individual machines and focus on the bigger picture. In the next section, we will see where trust relationships come into play in an Active Directory design. We will also see why we need trust relationships, how default trust relationships are established within an Active Directory forest, and how certain fine-tuning can be executed to improve the performance of the default trust relationships.

Make sure you know the difference between Windows Server 2003's various LAN authentication mechanisms. At the very least, know the order from LAN Manager (the weakest) to Kerberos (the strongest) and which operating systems support each protocol.

First let's take a look at how authentication works within trusts and collaborative scenarios.

Was this article helpful?

+1 0

Responses

  • jarmo helminen
    Why ntlm authentication is vulnerable to attacks and how Kerberos overcomes it?
    3 years ago
  • simon dahlak
    When is kerberos authentication used VS NTLM on windows?
    1 year ago
  • anna white
    Which operating systems support ntlm v2?
    1 year ago
  • henry
    Where in the network diagram shown use kerberos server?
    10 months ago

Post a comment