One of the biggest problems with Windows environments is the insistence to continue to build upon older systems despite the emergence of cloud solutions. Attackers can easily gain access to Active Directory domains by finding security gaps in older systems, and NTLM has been exploited as a result.
What is NTLM?
Windows New Technology LAN Manager (NTLM) authentication is a protocol used in Active Directory to authenticate clients to various AD domain services. It authenticates clients with a challenge-response method, sending the client a mathematical operation that the client reciprocates with its authentication token. Although it’s been overshadowed by Kerberos authentication, it’s still widely used because NTLM is compatible with older systems.
NTLM is a Single-Sign-On (SSO) system that only requires a password. However, its dated cryptography and reliance on passwords make it a common target for modern cyber attacks.
Microsoft advised against using NTLM in favor of Kerberos, but Kerberos isn’t able to authenticate with all systems, which keeps NTLM relevant. NTLM is still used to connect non-Windows devices to AD domains.
Instead of using password-based authentication, Microsoft clients can integrate a cloud Public Key Infrastructure (PKI) that uses certificate-based authentication. SecureW2’s PKI easily integrates with Microsoft’s AD services and allows them to upgrade from passwords to certificate-based authentication for AD domains.
Compared to modern authentication protocols, NTLM’s reliance on outdated procedures can compromise the security integrity of AD systems. We’ve gathered some NTLM vulnerabilities and how attacks can exploit them.
NTLM Security Vulnerabilities
With the rise in remote workers and the emergence of hybrid work environments, organizations are highly recommended to implement Zero Trust Network Access, a philosophy that nothing should be trusted by default. In order to implement a Zero Trust Model, admins need to identify where NTLM is being used and how NTLM is being exploited. We’ve covered some vulnerabilities below.
NTLM’s Outdated Cryptography Scheme
NTLM’s older cryptography scheme makes it easy for attackers to obtain passwords. The hash is encrypted using MP4, which can be cracked with little effort. Anyone with the right hacking software can steal credentials and obtain passwords in plaintext. A survey showed 6 in 10 businesses end up filing for bankruptcy within 6 months after an attack.
Verifying the Server Identity
NTLM authentication is unable to validate a server’s identity, making it a target for man-in-middle attacks impersonating the server and bypassing NTLM. Kerberos authentication is able to identify the server.
Lacks MFA Capabilities
Since NLTM is based on passwords, it’s unable to provide authentication for Multi-Factor Authentication (MFA) and smart cards. It’s been discovered that someone can crack any password under 8 characters through an NTLM vulnerability.
NTLM Relay Attack
NTLM Relay is an attack that exploits the inability to provide mutual authentication. In an NTLM relay attack, the attacker can intercept the server-client connection and run a man-in-the-middle attack. The attacker will impersonate by intercepting the challenge before getting to the client and then grabbing the responses and forwarding them to the server. The attacker will then be authenticated on the domain instead of the client.
Best Practices for Authentication
Since NTLM is vulnerable and only getting worse as more cyber attacks come into play, organizations need to prioritize network security and eliminate the looming threat of cyber attacks. It starts with the authentication process during a server-client connection. Here are some best security practices to follow.
Security Signatures
Server Message Block (SMB) Signing prevents NTLM relays because it’s able to tell if the data has been manipulated. Every message contains a security signature that confirms both the client and server’s identities.
Certificates provide a security improvement by being digitally signed by a Certificate Authority. With certificates equipped on both the client and server, they can verify the identities of one another.
Multi-Factor Authentication
MFA requires more than one form of identity to authenticate a user and approve network access. The different identity types that are required are a combination of something you know, something you have, and something you are.
The most common and effective use of MFA is for the purpose of web authentication. If a user wanted to access a web application, they’d experience a process such as this: navigate to a landing page, enter login credentials, and use an authentication code from Google Authenticator. Web applications that access internal databases and other sensitive information require a high level of security and would use a similar method.
In addition to securing applications with MFA, security-conscious organizations should avoid credentials and use certificates. Certificates add an extra layer of security that further protects against hacking attacks and human error.
When determining your security strategy for web applications, it is worth evaluating how many people use the application. If it is used by everyone in the organization, MFA may not be appropriate for the situation. The average cost per user is high for MFA, so if certificate-based authentication is a sufficient level of security, it may be a better option. Of course, certificates and MFA used together are a stronger security system, but for widely used web applications, certificates on their own boast lower costs and a preferred user experience.
Digital Certificate Authentication
Certificates can provide mutual authentication with Server Certificate Validation. It guarantees users will never send their authentication information to the wrong SSID. At the beginning of the authentication process, the RADIUS server and user device will communicate with one another and perform a cryptographic handshake. The RADIUS will present a server certificate and if the certificate is recognized as legitimate by the device, it can verify the server’s identity.
Certificates are perfect for a Zero Trust model, which is built on identifying each network user and automatically limiting their resource access. While Active Directory Certificate Services (AD CS) can provide this service, it is well known that they are limited in what they provide organizations. AD CS does not come with an efficient onboarding system, management software, and it is an on-premise solution, which limits your ability to integrate with present and future cloud technology.
SecureW2’s PKI services, combined with a Cloud RADIUS server, create a turnkey solution for certificate-based Wi-Fi authentication. An effective PKI provides all the necessary infrastructure to implement a certificate-based network and maintains the security and distribution of all network certificates. Organizations can seamlessly distribute certificates to devices and manage them with ease using our powerful certificate management features.
Improving Authentication Security with Digital Certificates
Securing the connections of network users has never been more important and that starts with the right authentication protocol. So much valuable data exists on the average organization’s network and it’s vital to ensure you take every sensible measure to ensure it’s protected. Check out low-cost solutions like SecureW2’s PKI and Cloud RADIUS to see if combining our certificate solutions and will work to authenticate your users to AD services.
