Learning Guide: Authentication

By Robyn Lorusso, Editor, SearchWindowsSecurity.com
14 Jun 2005 | SearchWindowsSecurity.com

Digg This!

StumbleUpon

Del.icio.us

Authentication is a critical component of a secure Windows infrastructure, but without proper hardening, authentication can quickly become a target for hackers and crackers. In this SearchWindowsSecurity.com guide you'll find overviews of authentication credentials and protocols, and in-depth expert advice on hardening authentication for user logon, remote access, wireless access and Web servers.

TABLE OF CONTENTS
   Authentication basics
   Avoid weak authentication: LM, NTLM, NTLMv2
   Seek strong authentication: Kerberos
   Harden user logon
   Harden remote access authentication
   Harden wireless authentication
   Harden Web server authentication

Authentication Basics Return to Table of Contents

Authentication is the process of determining whether someone is in fact who he or she claims to be. In Windows, authentication is required for logon credentials and access to network resources in most systems above NT 4.0.
In private and public computer networks, including the Internet, authentication is commonly done through logon passwords. Other commonly used credentials include passphrases, smart cards, PIN numbers, tokens, biometrics and certificates.
In Roberta Bragg's book, Hardening Windows Systems, she explains that authentication In Windows systems is accomplished by providing an account name and credentials that match the information stored in an account database. Possession of the necessary credentials enables both authorized and unauthorized individuals to access a system. Authorization – different from authentication – is what you can do on a system once you have been authenticated.
The following sections will take you through protocols and methods to help ensure your authentication processes are secure.

Avoid Weak Authentication: LM, NTLM, NTLMv2 Return to Table of Contents

NTLM (NT LAN Manager) is a challenge/response form of authentication that was the default network authentication protocol in Windows NT 4.0. It's also used in Windows 2000 for compatibility with earlier Windows versions and to authenticate logons to standalone computers. NTLM was developed for trusted network computing -- not commonly found today -- and supports three forms of authentication that are often targets for attack:

LM is the least secure form, and it is used to connect Windows 2000 Professional in share level security mode to file shares on Windows 95 and 98 computers.

NTLMv1 is more secure than LM, and it is used for Windows 2000 Professional computers to connect to Windows NT domain servers where all controllers are upgraded to Service Pack 3 or earlier.
NTLMv2 is the most secure of the three, and it is used for Windows 2000 Professional computers to connect to Windows NT domain servers where all controllers are upgraded to Service Pack 4 or later.
Since the days of Windows NT, Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM. See the next section for details.
If you haven't upgraded, the following resources will help you harden Windows against NTLM and LM weaknesses.

Checklist: Remove LM hashes and move to NTLM to harden authentication
Expert Response: Why you need to eliminate LM hashes
White Paper: Admin checklist for hardening Microsoft Windows NT
White Paper: Admin checklist for hardening Windows 2000

Seek Strong Authentication: Kerberos Return to Table of Contents

In Greek mythology Kerberos is a three-headed dog guarding the entrance to the underworld. In Windows terminology, Kerberos refers to the authentication protocol that is now default in enterprise Windows 2000 environments, according to Jan De Clercq's book Windows Server 2003 security infrastructures. Every Windows 2000, Windows XP and Windows Server 2003 OS platform includes a client Kerberos authentication provider. Kerberos is considered a strong authentication protocol -- considerably stronger than NTLM -- and it was designed to thwart many known attacks on authentication systems.
The following resources will help you better understand and maximize Kerberos' usages.

Book Excerpt: Kerberos advantages
Book Excerpt: Kerberos: The basic protocol
Book Excerpt: Logging on to Windows using Kerberos: Single domain environment
Book Excerpt: Logging on to Windows using Kerberos: Multiple domain environment
Book Excerpt: Logging on to Windows using Kerberos: Multiple forest logon process
Book Excerpt: Advanced Kerberos topics: Delegation of authentication
Book Excerpt: Advanced Kerberos topics: From authentication to authorization
Book Excerpt: Advanced Kerberos topics: Kerberized applications
Book Excerpt: Kerberos configuration
Book Excerpt: Kerberos and authentication troubleshooting
Book Excerpt: Kerberos interoperability
White Paper: Windows 2000 RSVP/Kerberos user authentication interoperability

Harden User Logon Return to Table of Contents

Your own users are often a major cause of authentication weaknesses. Creating a weak password, sharing credentials or writing down private account information are all ways in which sensitive information can be compromised, leading to unauthorized logons and insider hacks. Make sure you have the proper logon policies in place and harden your authentication credentials.
The following resources will help you harden user logon.

Checklist: Hardening user passwords
Checklist: Key control settings to harden password authentication
Checklist: Seven steps to properly set account lockout
Checklist: Restrict access to prevent insider hacks
Tip: Password policy considerations
Tip: Windows password creation
Tip: Password authentication and protection
Tip: Centrally tracking user logon attempts
Tip: How to crack a password
Expert Response : Passphrases vs. Passwords
Expert Response: Are Windows 2000 server passwords checked against a flat file?
Expert Response: Bypassing the logon password on Windows 2000 Pro
Expert Response: How can I set a legal notice to appear at logon?
Expert Response: Disabling the default Windows password filter
Expert Response: Installing Certification Authority on a domain controller?
Expert Response: Best security practices for creating/changing user names/IDs
White Paper: Windows 2000 and NT logon security

Harden Remote Access Authentication Return to Table of Contents

Whether you're working with Routing and Remote Access Server (RRAS) or trying to configure Internet Authentication Services (IAS), steps can be taken to protect remote access authentication from being compromised by man-in-the-middle attacks or unauthorized logins.
The following resources will help you harden remote access authentication in Windows 2003, XP and 2000.

Tip: Preventing access to your LAN
Tip: Simple VPN authentication choices
Expert Response: How to block a non-company laptop from infecting the network
Expert Response: Using RRAS and NAT to share Internet access and restrict user logon duration
Expert Response: Using Group Policy to specify Remote Desktop permissions
Book Excerpt: How network access quarantine works
Book Excerpt: Six steps for deploying Network Access Quarantine Control
Book Excerpt: VPN design issues for L2TP/IPSec
Book Excerpt: VPN protocol choices
Book Excerpt: PPTP
Book Excerpt: L2TP/IPSec
Book Excerpt: L2TP over IPSec and NAT -- NAT-traversal
White Paper: RADIUS protocol security and best practices
White Paper: Using IPsec in Windows 2000 and XP
White Paper: Deploying Windows Server 2003 IAS with VLANs
White Paper: Internet Authentication Service for Windows 2000
White Paper: Enterprise deployment of wireless and remote access with Internet Authentication Service
White Paper: How to build secure LANs with IPSec

Harden Wireless Authentication Return to Table of Contents

Setting up a wireless network may be relatively simple, but without strong authentication you are opening the door to outsiders who can easily gain access to your network. For starters, you can lock down wireless authentication using 802.1x, a group of evolving wireless local area network (WLAN) standards.
The following resources will help you harden authentication for wireless access.

Article: The most serious challenges in securing wireless networks
Tip: Five reasons to deploy IPSec policies on your network
Tip: Best practices for implementing IPSec policies
Tip: Securing teleworker wireless LANs
Expert Response: Prevent unauthorized systems from accessing your network with 802.1x
Expert Response: Prevent being hacked while utilizing Wi-Fi LAN
Expert Response: Support for Wi-Fi protected access
Expert Response: Securing a network through wireless APs
Book Excerpt: Securing wireless communications
Book Excerpt: Standard wireless security options
Book Excerpt: Standard wireless security options plus fire walling
Book Excerpt: Add 802.1x technology
Book Excerpt: Windows .NET Server wireless network (IEEE 802.11) policies

Harden Web Server Authentication Return to Table of Contents

By design, most Web servers are open to the Internet, and therefore susceptible to hackers. Microsoft's Internet Information Server (IIS) needs to be properly configured and hardened according to how the server and its Web sites are used.
The following resources will help you harden authentication for IIS and Web applications.

Tip: IIS authentication methods: What and when
Tip: HTTP basic authentication
Tip: Heads up on Web-based certificate mapping
Tip: How to estimate number of anonymous users on a Web site
Expert Response: How to restrict access to certain sections of our company's intranet
Expert Response: Security measures to take with PSTN connections
Expert Response: Pros and cons of using a proxy server
Expert Response: How to secure OWA access over the Internet
Expert Response: Implementing system/account delegation within an application built using ASP.NET
White Paper: Technical overview of Internet Information Services (IIS) 6.0
White Paper: Securing IIS: How to implement a secure IIS Web server
White Paper: Security in the Microsoft .NET framework
White Paper: Security at the next level: Are your Web applications vulnerable?
White Paper: Application security challenges and solutions

More Information from SearchWindowsSecurity.com

Get answers to all of your Windows authentication questions. Ask your peers for help in ITKnowledge Exchange or pose questions to Hardening Windows expert Roberta Bragg. Also check out the following resources.

Learning Guide: Access control
Topic Research: Windows NT Server authentication
Topic Research: Windows NT Desktop authentication
Topic Research: Windows 2000 Server authentication
Topic Research: Windows 2000 Professional authentication
Topic Research: Windows Server 2003 authentication
Topic Research: Windows XP Professional authentication

Tags: Authentication, Authentication, Authentication , Authentication , Wireless , Authentication , Authentication , Authentication , Protocols, Authentication, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us