NTLM Authentication: Security Risks and How to Avoid Them (Gilad David Maayan)

What Is NTLM?

Windows NTLM (New Technology LAN Manager) is a suite of authentication protocols used by Windows operating systems to authenticate and secure user credentials when accessing network resources. NTLM was introduced by Microsoft in the early 1990s as an improvement over its predecessor, LAN Manager, and is still widely used today in Windows-based networks.

NTLM operates by exchanging encrypted challenge/response messages between clients and servers, allowing for secure authentication without sending plaintext passwords over the network. While NTLM is considered a legacy protocol and has some security weaknesses, it remains in use in many environments and is still supported by modern Windows operating systems.

How Does NTLM Authentication Work?

NTLM authentication involves a series of steps between a client and a server to authenticate the client's identity and grant access to network resources. The process can be broken down into the following steps:

1. The client sends a negotiation message to the server, indicating its willingness to use NTLM authentication. This message contains information such as the client's domain name, workstation name, and supported NTLM protocols.

2. The server responds with a challenge message, containing a random number called a "nonce." The nonce is encrypted with a secret key known only to the server and the client's domain controller.

3. The client receives the challenge message and uses its user credentials to compute a response to the challenge. This response includes a hash of the user's password, which is encrypted with the nonce received from the server.

4. The client sends the response message back to the server, along with its domain name and user name.

5. The server receives the response message and uses its own copy of the client's password hash to compute a response. If the computed response matches the one received from the client, the server grants access to the requested resource.

NTLM Security Vulnerabilities

NTLM is widely used in enterprise environments, but it is also a target for attackers, who can exploit its weaknesses to perform network attacks and gain unauthorized access to systems and data. Here are some of the key attack surfaces associated with NTLM.

Cryptographic Weaknesses

The NTLM protocol uses relatively weak encryption algorithms, such as the RC4 cipher, which can be vulnerable to brute-force attacks. As a result, NTLM authentication can be susceptible to password-cracking attacks if an attacker is able to capture the encrypted authentication messages sent over the network.

Lack of Mutual Authentication

NTLM authentication only provides one-way authentication, meaning that the server authenticates the client, but the client does not authenticate the server. This can leave the client vulnerable to man-in-the-middle attacks, where an attacker intercepts the authentication messages and poses as the server to gain access to the client's credentials.

Lack of Multi-Factor Authentication (MFA)

NTLM authentication only relies on a single factor for authentication, typically the user's password. This means that if an attacker is able to obtain the user's password through a phishing attack or other means, they can easily gain access to the network resources without needing any additional factors of authentication, such as a token or biometric identifier.

NTLM Relay Attacks

One of the most significant security vulnerabilities of NTLM authentication is its susceptibility to relay attacks. In a relay attack, an attacker intercepts the NTLM authentication messages sent between the client and server and relays them to a third-party server, such as a domain controller, to gain access to network resources. This can be especially dangerous if the third-party server has administrative privileges, as the attacker can then gain full control over the network.

Why Is NTLM Still Used?

Despite its security vulnerabilities, NTLM authentication is still widely used in Windows-based networks for several reasons:

● Fallback when Kerberos fails: In Windows environments, Kerberos is the preferred authentication protocol. However, in cases where Kerberos authentication fails, such as when a client is not joined to an Active Directory domain, NTLM authentication can serve as a fallback mechanism to provide basic authentication and access to network resources.

● Backward compatibility: NTLM authentication has been around for several decades and is still supported by modern Windows operating systems for backward compatibility with legacy applications and systems that rely on NTLM.

● Support for workgroup authentication: In environments where there is no centralized domain controller, such as small workgroup environments, NTLM authentication can be used to authenticate users and provide access to network resources.

● Local authentication: NTLM authentication can also be used for local authentication on standalone machines or non-domain joined computers, providing a basic level of security for user accounts on these systems.

● Ability to handle a non-existent SPN: Unlike Kerberos authentication, NTLM authentication can handle situations where a Service Principal Name (SPN) does not exist or is not configured correctly, providing more flexibility for authentication in certain scenarios.

● Lack of connectivity to DC or DNS: NTLM authentication can also be used in situations where a client is unable to connect to a domain controller or DNS server, such as in disconnected or remote environments.

● Hybrid environments: In mixed environments with both domain-joined and non-domain joined clients, NTLM authentication can be used to provide basic authentication for non-domain joined clients while still allowing domain-joined clients to use Kerberos authentication.

Securing NTLM Authentication

Securing NTLM involves implementing a range of security measures and solutions to mitigate the known vulnerabilities of the protocol.

● Use strong passwords: Strong passwords can help prevent brute-force attacks. Users should be encouraged to use complex passwords that include a mix of letters, numbers, and symbols.

● Implement multi-factor authentication: Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. MFA requires users to provide additional authentication factors, such as a security token or biometric data, to gain access to resources.

● Use secure network protocols: NTLM should be used over secure network protocols such as SSL/TLS to prevent man-in-the-middle attacks.

● Disable legacy authentication protocols: Legacy authentication protocols like NTLM should be disabled in favor of more modern and secure authentication protocols like Kerberos.

● Implement network segmentation: Network segmentation can help prevent relaying attacks by limiting the ability of attackers to intercept and forward authentication requests.

● Keep software and security patches up-to-date: It's important to keep software and security patches up-to-date to reduce the risk of known vulnerabilities being exploited by attackers.

● Use encryption: NTLM authentication should be used over encrypted channels to protect against attacks that intercept traffic and steal authentication information.

Conclusion

NTLM authentication has been a widely used authentication protocol in Windows-based networks for many years, but it has several security vulnerabilities that make it less secure than modern authentication protocols such as Kerberos. Some of the main security risks associated with NTLM authentication include weak cryptography, lack of mutual authentication, lack of multi-factor authentication, and vulnerability to NTLM relay attacks.

However, there are steps that organizations can take to improve the security of NTLM authentication, such as enforcing strong password policies, implementing MFA, using secure network protocols, and segmenting the network.

It is important for organizations to carefully evaluate the risks associated with NTLM authentication and consider transitioning to more modern authentication protocols that provide stronger security features. However, for certain legacy applications and systems, NTLM authentication may still be necessary. In such cases, organizations can take steps to mitigate the security risks associated with NTLM authentication and ensure that their networks remain secure.

Author Bio: Gilad David Maayan

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Check Point, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.

LinkedIn: https://www.linkedin.com/in/giladdavidmaayan/