For organizations to maintain security and reduce their threat exposure, it’s critical to understand the vulnerabilities and challenges of Windows authentication protocols. For instance, the inherent flaws of the LM and NTLM protocols render them susceptible to simple attacks. It’s important for organizations to develop a strategy to restrict (or even remove) LM and NTLM usage, and rely on better protocols such as Kerberos to limit security risks. In this blog, we’ll look at various authentication protocols, including LM, NTLM, NTLMv2, and Kerberos.
Windows Active Directory (AD) authentication protocols authenticate users, computers, and services in AD, and enable authorized users and services to access resources securely.
LM is among the oldest authentication protocols used by Microsoft. However, its hashes were relatively easy to crack. By capturing hashes and cracking them to obtain account logon credentials, attackers could easily authenticate to other systems on the network. NTLM, which succeeded LM, is an encrypted challenge/response based authentication protocol used for network logons by client devices, yet it’s still easy to crack. NTLMv2 was a significant improvement compared to NTLM in terms of both authentication and session security mechanisms. It enhanced the security of NTLM by adding the ability for a server to authenticate to a client.
Kerberos authentication is a vast improvement over the previous technologies. Kerberos provides identity authentication by exchanging messages between the client, authentication server, and application server. Compared to NTLMv2, Kerberos’ use of strong cryptography and third-party ticket authorization makes it much more difficult for cybercriminals to infiltrate the network, providing an additional layer of security.
The table below compares NTLM, NTLMv2, and Kerberos.
Protocol |
NTLM |
NTLMv2 |
Kerberos |
Cryptographic technique |
Symmetric key cryptography |
Symmetric key cryptography |
Symmetric key cryptography, asymmetric cryptography |
Security level |
Low |
Intermediate |
High |
Message type |
Random number |
MD4 hash, random number |
Encrypted ticket using DES, MD5 |
Trusted third party |
Domain controller |
Domain controller |
Domain controller, key distribution center |
Kerberos and NTLMv2 are required for authentication in AD, and clearly operate at higher security levels than LM and NTLM, which present significant cybersecurity risks for enterprises. In the next blog, we’ll look at how you can secure your enterprise from NTLM attacks.
where’s the next blog ?
Hi Behrouz. Here it is: https://blogs.manageengine.com/active-directory/adauditplus/2019/09/06/ntlm-vulnerabilities-that-make-you-susceptible-to-relay-attacks.html