For organizations to maintain security and reduce their threat exposure, it’s critical to understand the vulnerabilities and challenges of Windows authentication protocols. For instance, the inherent flaws of the LM and NTLM protocols render them susceptible to simple attacks. It’s important for organizations to develop a strategy to restrict (or even remove) LM and NTLM usage, and rely on better protocols such as Kerberos to limit security risks. In this blog, we’ll look at various authentication protocols, including LM, NTLM, NTLMv2, and Kerberos.

Windows Active Directory (AD) authentication protocols authenticate users, computers, and services in AD, and enable authorized users and services to access resources securely.

LM is among the oldest authentication protocols used by Microsoft. However, its hashes were relatively easy to crack.  By capturing hashes and cracking them to obtain account logon credentials, attackers could easily authenticate to other systems on the network. NTLM, which succeeded LM, is an encrypted challenge/response based authentication protocol used for network logons by client devices, yet it’s still easy to crack. NTLMv2 was a significant improvement compared to NTLM in terms of both authentication and session security mechanisms. It enhanced the security of NTLM by adding the ability for a server to authenticate to a client.

Kerberos authentication is a vast improvement over the previous technologies. Kerberos provides identity authentication by exchanging messages between the client, authentication server, and application server. Compared to NTLMv2, Kerberos’ use of strong cryptography and third-party ticket authorization makes it much more difficult for cybercriminals to infiltrate the network, providing an additional layer of security.

The table below compares NTLM, NTLMv2, and Kerberos.

Protocol

NTLM

NTLMv2

Kerberos

Cryptographic technique

Symmetric key

cryptography

Symmetric key

cryptography

Symmetric key cryptography,

asymmetric cryptography

Security level

Low

Intermediate

High

Message type

Random number

MD4 hash, random number

Encrypted ticket using DES, MD5

Trusted third party

Domain controller

Domain controller

Domain controller, key distribution center

Kerberos and NTLMv2 are required for authentication in AD, and clearly operate at higher security levels than LM and NTLM, which present significant cybersecurity risks for enterprises. In the next blog, we’ll look at how you can secure your enterprise from NTLM attacks.

 

  1. Behrouz

    where’s the next blog ?