Previous posts
Security GroupsWindows Built-In User Accounts
Windows What Are User Accounts?
Windows Local vs. Domain Accounts
Workgroups vs. Domains
Managing Sessions and Open Files
Creating a New Share Although the easiest way to s...
Managing Administrative Shares
Managing Shared Folders
Assigning Permissions to a Shared Folder
Friends
mercredi 30 janvier 2008
Controlling the Logon and Authentication Process
The purpose of logging on to Windows—providing a user name and password—is to allow Windows to authenticate you. In theory, the process of logon and authentication verifies that you are who you claim to be (because, presumably, only the owner of a user account knows its user name and its password). On the surface, the process is quite simple: Depending on how your computer is configured, you press Ctrl+Alt+Del to display the Log On To Windows dialog box, or you click your user name on the Welcome screen; you enter your password (your user name is already entered) and click OK; and a few moments later your desktop appears.
Under the hood, a lot is going on to allow this seemingly simple task to be performed as securely as possible—all under the control of the Local Security Authority (LSA). This process is explained in great detail in Microsoft Windows XP Professional Resource Kit Documentation (Microsoft Press, 2001). In this chapter, we concentrate on the type of logon used on stand-alone computers and on computers that are not joined to a Windows 2000 Server or Windows .NET Server domain: an interactive logon using NTLM authentication.
An interactive logon is one of four types of logon processes handled by Windows XP and Windows 2000. It's the process of logging on to a local computer to which you have direct physical access or to which you connect via Remote Desktop Connection or Terminal Services. The other logon types are network, which is used for accessing another computer on your network; service, which is used by services to log on using the LocalSystem account or the credentials of a user account, depending on how the service is configured; and batch, which is for applications that run as batch jobs (such as a program that updates a corporate database server overnight) and is almost never used in small networks.
During the authentication process, the computer that's asking for permission to access a resource must exchange information with the computer that manages security for that resource. From a security standpoint, it is almost never acceptable to send a user name and password over any network in unencrypted form (referred to as plain text or clear text). In Windows XP and Windows 2000, this communication is encrypted using one of two authentication protocols: Kerberos V5 or NTLM. Kerberos is the default authentication protocol on computers running Windows XP and Windows 2000; however, these computers fall back to NTLM authentication when they are not joined to a Windows 2000 Server or Windows .NET Server domain—in other words, on stand-alone computers and on workgroups of any size that consist of a mix of computers running Windows.
The Kerberos protocol uses extremely sophisticated encryption to prevent unauthorized intruders from intercepting traffic on the network and breaking a password. By contrast, the NTLM protocol uses a challenge/response authentication mechanism: The computer managing security for the resource issues an encrypted challenge to the computer that's requesting access, which in turn must provide the correct encrypted response, using an encryption key based on the password for that user account.
NTLM authentication in Windows XP and Windows 2000 supports three NTLM variants:
LAN Manager (LM). This is the least secure authentication method in Windows XP. It's used only when you connect to shared folders on computers running Windows for Workgroups, Windows 95/98, or Windows Me.
NTLM version 1. More secure than LM, this variant is needed only when you connect to servers in a Windows NT domain in which a domain controller is running Windows NT 4 Service Pack 3 or earlier.
NTLM version 2. This is the most secure form of challenge/response authentication. It is the one used to connect to other computers running Windows XP or Windows 2000 or to servers in a domain where all controllers are running Windows NT 4 Service Pack 4 or later.
TIP
--------------------------------------------------------------------------------
Shut down LM to tighten network security
If all the computers on your network run Windows XP or Windows 2000, you can disable the weaker authentication variants, thereby closing a couple of additional avenues that attackers might use. To disable these variants, start Local Security Settings (type secpol.msc at a command prompt), and open Security Settings\Local Policies\Security Options. In the details pane, double-click Network Security: LAN Manager Authentication Level (in Windows XP) or LAN Manager Authentication Level (Windows 2000). In the list, select Send NTLMv2 Response Only\Refuse LM & NTLM. This helps to stymie password-cracking tools such as LC3, which captures password-bearing packets from network traffic. Note, however, that taking this step will effectively break communications between your computer and those running earlier versions of Windows.
The purpose of logging on to Windows—providing a user name and password—is to allow Windows to authenticate you. In theory, the process of logon and authentication verifies that you are who you claim to be (because, presumably, only the owner of a user account knows its user name and its password). On the surface, the process is quite simple: Depending on how your computer is configured, you press Ctrl+Alt+Del to display the Log On To Windows dialog box, or you click your user name on the Welcome screen; you enter your password (your user name is already entered) and click OK; and a few moments later your desktop appears.
Under the hood, a lot is going on to allow this seemingly simple task to be performed as securely as possible—all under the control of the Local Security Authority (LSA). This process is explained in great detail in Microsoft Windows XP Professional Resource Kit Documentation (Microsoft Press, 2001). In this chapter, we concentrate on the type of logon used on stand-alone computers and on computers that are not joined to a Windows 2000 Server or Windows .NET Server domain: an interactive logon using NTLM authentication.
An interactive logon is one of four types of logon processes handled by Windows XP and Windows 2000. It's the process of logging on to a local computer to which you have direct physical access or to which you connect via Remote Desktop Connection or Terminal Services. The other logon types are network, which is used for accessing another computer on your network; service, which is used by services to log on using the LocalSystem account or the credentials of a user account, depending on how the service is configured; and batch, which is for applications that run as batch jobs (such as a program that updates a corporate database server overnight) and is almost never used in small networks.
During the authentication process, the computer that's asking for permission to access a resource must exchange information with the computer that manages security for that resource. From a security standpoint, it is almost never acceptable to send a user name and password over any network in unencrypted form (referred to as plain text or clear text). In Windows XP and Windows 2000, this communication is encrypted using one of two authentication protocols: Kerberos V5 or NTLM. Kerberos is the default authentication protocol on computers running Windows XP and Windows 2000; however, these computers fall back to NTLM authentication when they are not joined to a Windows 2000 Server or Windows .NET Server domain—in other words, on stand-alone computers and on workgroups of any size that consist of a mix of computers running Windows.
The Kerberos protocol uses extremely sophisticated encryption to prevent unauthorized intruders from intercepting traffic on the network and breaking a password. By contrast, the NTLM protocol uses a challenge/response authentication mechanism: The computer managing security for the resource issues an encrypted challenge to the computer that's requesting access, which in turn must provide the correct encrypted response, using an encryption key based on the password for that user account.
NTLM authentication in Windows XP and Windows 2000 supports three NTLM variants:
LAN Manager (LM). This is the least secure authentication method in Windows XP. It's used only when you connect to shared folders on computers running Windows for Workgroups, Windows 95/98, or Windows Me.
NTLM version 1. More secure than LM, this variant is needed only when you connect to servers in a Windows NT domain in which a domain controller is running Windows NT 4 Service Pack 3 or earlier.
NTLM version 2. This is the most secure form of challenge/response authentication. It is the one used to connect to other computers running Windows XP or Windows 2000 or to servers in a domain where all controllers are running Windows NT 4 Service Pack 4 or later.
TIP
--------------------------------------------------------------------------------
Shut down LM to tighten network security
If all the computers on your network run Windows XP or Windows 2000, you can disable the weaker authentication variants, thereby closing a couple of additional avenues that attackers might use. To disable these variants, start Local Security Settings (type secpol.msc at a command prompt), and open Security Settings\Local Policies\Security Options. In the details pane, double-click Network Security: LAN Manager Authentication Level (in Windows XP) or LAN Manager Authentication Level (Windows 2000). In the list, select Send NTLMv2 Response Only\Refuse LM & NTLM. This helps to stymie password-cracking tools such as LC3, which captures password-bearing packets from network traffic. Note, however, that taking this step will effectively break communications between your computer and those running earlier versions of Windows.
Libellés : Authentication, Controlling, Logon, Process
0 Comments:
Funny Blogs
Blogger Roll
Free Software
