Authentication Methods: Basic vs. NTLM

Questions and Answers

Which of the following is a key characteristic of basic authentication?

• Provides advanced encryption of transmitted credentials.
• Credentials are included with every request, making it stateless. (correct)
• Offers inherent support for multifactor authentication.
• Requires complex infrastructure setups for implementation.

A web application developer is choosing an authentication method for a new project. Which of the following is the primary security concern if basic authentication is selected?

• Requirement for frequent credential renewal.
• Vulnerability to interception when transmitted over unencrypted channels. (correct)
• Incompatibility with modern HTTP clients and APIs.
• Difficulty in setting up and operating the authentication process.

In what scenario would NTLM authentication be most appropriate?

• Authenticating users in a legacy Windows environment. (correct)
• Providing a highly secure authentication mechanism with the latest cryptographic standards.
• Authenticating users across different operating systems in a modern network.
• Implementing multifactor authentication across a web application.

A system administrator is tasked with improving the security of a Windows network that currently relies on NTLM for authentication. What is a major security vulnerability they should address?

NTLM's susceptibility to password attacks due to its simplistic hashing. (C)

What is a key difference between basic authentication and NTLM authentication?

Basic authentication is stateless, while NTLM involves a negotiation process. (D)

An organization is migrating from a legacy system using NTLM to a modern, cloud-based infrastructure. What is the most significant reason to replace NTLM with a more modern authentication protocol?

To enhance security by leveraging the latest cryptographic advancements. (C)

Why does basic authentication not require session tracking on the server side?

Because each request contains the authentication credentials. (A)

Which of the following is a disadvantage of basic authentication?

It transmits credentials over unencrypted channels, making it vulnerable to interception. (A)

Which of the following is a primary disadvantage of using the NTLM authentication protocol?

NTLM lacks mutual authentication, meaning the client does not verify the server's identity. (D)

Why does Microsoft recommend passwordless authentication methods?

They provide a more secure sign-in experience. (B)

Which of the following advanced authentication techniques adds an additional layer of security beyond a simple password?

Multifactor authentication (B)

What is the primary function of Credential Guard in Microsoft Windows?

To isolate user credentials to prevent credential theft attacks. (C)

Credential Guard leverages which of the following technologies to protect sensitive information?

Hardware-backed, virtualization-based security and a Local Security Authority. (A)

In Kerberos authentication, what is the role of the Ticket-Granting Server (TGS)?

To connect the user with the service server. (D)

Which component of Kerberos is responsible for performing the initial authentication of a user?

The Authentication Server (AS). (D)

What security benefit does Kerberos provide by not sending passwords over the internet?

It prevents eavesdropping and password theft. (B)

Which of the following best describes the function of the Kerberos database?

It stores the password and identification of all verified users. (D)

After initial authentication in Kerberos, where is the session-specific ticket stored?

On the end-user's device. (D)

In the OAuth 2.0 flow, what is the immediate result of the resource owner granting authorization to the client?

The client receives an authorization code. (C)

Which of the following is the primary function of the Resource Server in an OAuth 2.0 framework?

Validating access tokens and providing access to protected resources. (A)

What information is typically included in the Authentication Context within the OpenID Connect (OIDC) framework?

Time of authentication and authentication methods used. (C)

How does OpenID Connect (OIDC) extend the functionality of OAuth 2.0?

By adding an identity layer that allows clients to verify the user's identity. (B)

What is the primary purpose of the ID Token in an OpenID Connect (OIDC) flow?

To provide the client with a secure way to authenticate the user. (C)

A client application requests authorization with the openid scope. What does this indicate?

The application is initiating an OpenID Connect flow to authenticate the user. (B)

A developer is implementing an OpenID Connect (OIDC) flow. After the authorization server authenticates the user, what two items are typically issued to the client?

Access Token and ID Token (B)

Which of the following components is responsible for issuing tokens after successful authentication in OAuth 2.0?

Authorization Server (C)

In an OAuth 2.0 flow, what is the primary purpose of using tokens for API authentication?

To provide a secure and standardized method for applications to access APIs on behalf of users. (A)

Which of the following is a key advantage of using OAuth and OpenID Connect (OIDC) for authentication?

The need to share credentials across applications is eliminated. (B)

What is the significance of 'Authentication Context' in modern authentication protocols?

It adds vital information related to user logins, such as authentication time and methods used. (A)

When integrating OAuth/OIDC in hybrid environments, which of the following is a common solution for bridging on-premises Active Directory with Azure AD?

Utilizing Azure AD Connect to synchronize and manage identities across both environments. (D)

What is the purpose of 'standard scopes' like 'openid', 'profile', and 'email' in the context of OAuth and OIDC?

To fetch basic user details during the authentication process. (C)

How do short-lived tokens and refresh tokens enhance security in OAuth and OIDC?

By reducing the risk associated with compromised tokens and limiting the time frame of potential misuse. (B)

What role do libraries like MSAL (Microsoft Authentication Library) play in OAuth and OIDC implementations?

They streamline the management of tokens and authentication flows, reducing implementation complexity. (D)

In the context of OAuth and OIDC, what is the main purpose of Single Sign-On (SSO)?

Allowing users to authenticate once and access multiple applications without re-authentication. (B)

What critical vulnerability arises if a Key Distribution Center (KDC) experiences a failure?

The entire authentication system fails, blocking resource access. (D)

Which of the following is NOT a typical advantage of Kerberos authentication?

Unlimited ticket lifetime for continuous access. (C)

In a Kerberos environment, what is the primary role of the Ticket Granting Service (TGS)?

To issue service tickets that allow access to specific network resources. (D)

Why is time synchronization critical in a Kerberos environment?

To prevent replay attacks by validating ticket timestamps. (B)

A user is having trouble authenticating with Kerberos. What is the most likely cause related to time if other factors are ruled out?

The user's system time is not synchronized with the KDC within acceptable limits. (C)

Why is Multi-Factor Authentication (MFA) considered more secure than single-factor authentication?

It reduces reliance on passwords, mitigating risks from phishing and brute-force attacks. (D)

A company wants to implement MFA for all users but anticipates resistance. What is the most effective approach to mitigate this resistance?

Provide training and emphasize the security benefits of MFA. (A)

Which of the following is NOT a typical method for second-factor authentication in a Windows environment?

Security Questions. (D)

What is a key disadvantage of using SMS or Email OTP as an MFA method?

SMS and email OTPs are less secure due to potential interception. (A)

A company implements certificate-based authentication but faces challenges with managing certificates. What is the MOST effective solution to address this?

Use automated tools for certificate issuance, renewal, and revocation. (B)

In certificate-based authentication, what is the purpose of a Certificate Authority (CA)?

To issue and manage digital certificates, verifying the identity of users and devices. (C)

Which of the following is NOT a primary advantage of using certificate-based authentication?

Centralized password reset portal reduces management overhead. (A)

What action should be taken when a user's device, which is used for certificate-based authentication, is lost or compromised?

Revoke the certificate associated with the device to prevent unauthorized access. (D)

In the context of OAuth 2.0, what is the role of the Resource Owner?

The user who owns the data or resources. (A)

Which protocol provides a method for a user to grant limited access to their resources on one system to another without sharing their credentials?

OAuth 2.0. (D)

Flashcards

Basic Authentication

A simple authentication method where the user provides a username and password.

Advantages of Basic Authentication

Simple setup and operation; compatible with most HTTP clients and APIs and reduces server complexity.

Disadvantages of Basic Authentication

Vulnerable to interception without encryption, lacks expiry, no multi-factor support, and susceptible to replay attacks.

NTLM Protocol

A Microsoft security protocol suite for authentication, integrity, and confidentiality, mainly in legacy systems.

NTLM Challenge/Response Mechanism

It uses a three-message process: Negotiation, Challenge, Authentication.

NTLM Authentication Method

NTLM relies on a challenge-response protocol.

Security Vulnerabilities of NTLM

NTLM has simplistic password hashing making it vulnerable to attacks.

NTLM's Cryptography

NTLM uses outdated cryptography

Advanced Authentication

Replacing passwords outright or adding extra verification steps.

Credential Guard

A Windows security feature isolating login info to prevent credential theft.

VBS (Virtualization-Based Security)

Hardware-backed, virtualization-based security used by Credential Guard.

Protected Container

An isolated and protected environment separate from the OS.

Kerberos

A system to authenticate users without sending passwords over the internet, using symmetric key cryptography.

How Kerberos Works

Uses symmetric key cryptography and a key distribution center (KDC) to authenticate and verify user identities.

Ticket-Granting Server (TGS)

Connects user with service server within Kerberos.

Kerberos Database

Stores password and identification of verified users within Kerberos.

Authentication Server (AS)

Performs the initial authentication within Kerberos system.

OAuth Client

Application requesting access to resources.

Authorization Server

Server that authenticates users and issues tokens.

Resource Server

Server hosting user data, validates access tokens.

What is OAuth 2.0?

An open standard for access delegation.

What is OIDC?

Extends OAuth 2.0, adds an identity layer.

What is an ID Token

A JWT containing verified user details.

Standard Scopes

openid, profile, email, address, phone

Authentication Context

Info about login time and authentication method.

Securing APIs with OAuth

Using OAuth 2.0 for API access control.

Single Sign-On (SSO)

Allows users to log in once and access multiple applications.

Hybrid Environment Authentication

Bridges on-premises Active Directory with Azure AD.

Third-Party App Integration

Granting limited access to third-party services via OAuth/OIDC.

Standard Scopes (OAuth/OIDC)

openid, profile, and email. Used for fetching user details.

Advantages of OAuth/OIDC

Avoids sharing credentials, integrates easily, and improves user experience.

Mitigating OAuth/OIDC disadvantages

Use libraries like MSAL, leverage Azure AD or AD FS, and use short-lived tokens.

Ticket-Granting Ticket (TGT)

Proof of successful client authentication issued by the KDC.

Ticket Granting Service (TGS)

Issues service tickets in Kerberos.

Key Distribution Center (KDC)

A central server that manages authentication in Kerberos.

Mutual Authentication

Users and services authenticate each other.

Limited Ticket Lifetime

Each ticket has a limited lifespan controlled by admins.

Reusable Authentication

Allows users to authenticate without re-entering credentials.

Kerberos Security

Passwords are not sent over the network and secrets are encrypted.

Single Point of Failure (KDC)

If the KDC fails, authentication stops.

Multi-Factor Authentication (MFA)

Requires multiple verification factors for system access.

Microsoft Authenticator App

A mobile app that generates OTPs or approves sign-ins.

Hardware Tokens (MFA)

Physical devices like YubiKeys for MFA.

Biometric Authentication (Windows)

Uses facial recognition, fingerprint, or PIN for authentication.

Certificate-Based Authentication

Authenticates users, devices, or services using digital certificates.

Device Authentication (Certificates)

Verifies devices accessing corporate resources via VPN or Wi-Fi.

OAuth 2.0

Allows a user to grant limited access to their resources without sharing credentials.

Study Notes

Introduction

• Types of authentication are discussed
• Basic authentication is covered
• An overview of NTLM protocol is given
• Advanced authentication techniques are listed

Types of Authentication: Basic Authentication

• This authentication method stands as the simplest and most direct
• Users gain system or service access by providing a username and password
• It does not require additional infrastructure, or complex setups
• It is widely supported across HTTP, FTP, and APIs
• Every request includes credentials making it stateless
• The server does not need to track the session

Basic Authentication

• Simple setup and operation are the major advantage, making it easy to use
• Works effectively with most HTTP clients and APIs
• The stateless nature reduces server-side complexity
• It lacks security and is vulnerable to interception over unencrypted channels
• Credentials are valid indefinitely unless revoked making no expiry
• Multi-factor authentication is not inherently supported
• Attackers can reuse intercepted credentials unless protected by HTTPS replay attacks

Types of Authentication: NTLM protocol - 1

• NTLM, or New Technology LAN Manager, is a Microsoft security protocol suite providing user authentication, integrity, and confidentiality
• It is commonly found in legacy systems but is increasingly replaced by Kerberos in modern setups
• Primarily operated in Windows environments to authenticate users and computers using a challenge/response mechanism
• The authentication mechanism consists of three messages: negotiation, challenge from the server, and authentication message from the client

Types of Authentication: NTLM protocol - 2

• NTLM comes with limitations
• The method relies on a single authentication meaning a challenge-response protocol to establish the user
• Security vulnerabilities exist because its password hashing can make NTLM systems vulnerable to attacks
• The outdated cryptography does not use the latest advances in encryption to make passwords more secure

NTLM protocol Adv/Disadv

• Passwords are not sent over the network in plaintext form, offering better security
• It offers compatibility with older Windows systems and legacy applications
• Windows-integrated authentication makes using it automatically easier
• The vulnerabilities and doesn't authenticate the server to the client
• NTLM performance is less efficient than modern authentication protocols

Advance Authentication Techniques

• Microsoft recommends passwordless methods to provide a secure sign-in experience
• Users can still sign in using common methods such as username and password
• Passwords should be replaced with more secure authentication methods
• Multifactor authentication adds another layer of security over password use alone
• Credential Guard, Kerberos authentication, MFA, Certificate-Based Authentication, Pass-Through Authentication, OAuth and OpenID Connect are advanced authentication examples

Credential Guard

• A Microsoft Windows OS security feature that isolates user login information from the rest of the OS
• It is designed to prevent common credential theft attacks
• Credential Guard was introduced in Windows 10 Enterprise and Windows Server 2016
• It's enabled by default on all systems running Windows 1, version 22H2 and later
• It uses hardware-backed, virtualization-based security (VBS) along with a Local Security Authority (LSA) to reliably store "secrets" e.g. credentials
• The containers it uses are isolated, and OS cannot access them

Credential Guard - 1

• Local Group Policy Editor is one way of enabling the feature

Credential Guard - 3

• Window + R executes msinfo32.exe
• System Information -> System Summary contains the details of its configuration

Kerberos Authentication - 1

• It acts as a gateway between users and the internet
• It helps prevent cyber attackers from entering a private network
• It authenticates users while preventing passwords from being sent online
• It is integrated into popular operating systems
• It is the default authorization technology in Microsoft Window

Kerberos Authentication - 2

• Symmetric key cryptography and a key distribution center (KDC) are used to authenticate and verify user identities
• The KDC involves three items: a ticket-granting server (TGS), a database, and an authentication server (AS)
• During authentication, Kerberos stores the ticket for each session on the end-user's device
• A Kerberos-aware service looks for this ticket

Kerberos Authentication - 3

• Components include a client, the initiating service requester on the user's behalf
• Includes the server, hosting the service to which the user needs access
• AS performs client authentication and if successful provides a ticket-granting ticket (TGT) or user authentication token
• The components also include KDC consisting of AS, TGS, and the Kerberos database
• A TGS application issues service tickets

Kerberos Authentication - 4

• Single point for keeping track of all logins and the enforcement of security policies, giving admins Access control
• Allows service systems and users to authenticate each other = mutual authentication
• The lifetime data is controlled by admins for each ticket
• Reusable authentication allows continued user authentication throughout the ticket's lifetime with reentering personal information
• Security: passwords are not sent over networks, and secret keys are encrypted
• It has a single point of failure
• Hosts date and time configurations need to be synchronized with predefined limits

Multi-Factor Authentication - 1

• The security mechanism requires two or more verification factors for system access
• MFA can be implemented via Azure Active Directory, Windows Hello for Business, or third-party tools
• Steps include the user enters their username and password
• The user is prompted for a second factor like mobile app notification, OTP or biometrics
• When the second factor is validated you are granted access

Multi-Factor Authentication - 2

• There are different methods in Windows
• A mobile app (Microsoft Authenticator App) generates OTPs/approves sign-ins
• Hardware tokens like FIDO2 security keys (e.g., YubiKey) or smart cards.
• Biometric authentication using Windows Hello, supports facial recognition, fingerprint, or PIN
• One-time codes sent via text messages or emails
• Push Notifications (prompts sent to a registered device for approval)

Multi-Factor Authentication - 3

• Enhanced security, is an advantage, it reduces reliance and mitigates risks from phishing and bruteforce attacks
• Offers multiple methods (biometrics, hardware keys) to accommodate different user needs making it user flexible
• Meets regulatory requirements and easily integrates with Azure AD and other Microsoft services
• There is user resistance which can be met with training, in addition device availability and lost second-factor devices can be addressed with backup codes

Certificate-Based Authentication - 1

• Authentication is achieved via digital certificates for users, devices, or services
• Trusted Certificate Authorities (CA) verify identity without relying on username or password combinations in Windows Environments
• The process: A trusted CA issues the digital certificate with a public key, then client presents it to the server during authentication
• Finally, the server checks validity, expiration date, and revocation status

Certificate-Based Authentication - 2

• Certificates are used in user authentication by replacing passwords with smart cards
• Devices are verified when accessing corporate resources via VPN or Wi-Fi
• Web Server Authentication uses client certificates to securely access to web applications or services
• Email Encryption uses certificates with S/MIME to enable secure email communication

Certificate-Based Authentication - 3

• Certificates are resistant to password-related attacks offering a high level of security
• Secure communication is achieved between client and server
• Using PKI and Group Policy for large-scale deployments enhances scalability
• Compliance to regulatory requirements is achieved more easily through this
• Automated tools ease Certificate management for issuance, renewal, and revocation
• Virtual smart cards can reduces hardware reliance, and device dependency
• Update CRLs (Certificate Revocation Lists) regularly

OAuth and OpenID Connect - 1

• They are modern authentication and protocols
• User grants limited access to their computer resources on one system to another without sharing credentials with Oauth 2.0
• Key components include the following: Resource Owner, Client, Authorization Server, and Resource Server

OAuth and OpenID Connect - 2

• The client requests authorization from the resource owner
• The resource owner grants authorization, typically via a browser-based flow
• The client exchanges the authorization code for an access token, and the token accesses protected resources

OAuth and OpenID Connect - 3

• OIDC extends OAuth 2.0 by adding an identity layer
• Clients can verify the identity of the end-user and obtain basic profile information via ID Tokens
• A JWT (JSON Web Token) contains user identity information
• Standard Scopes: includes openid, profile, and email for fetching user details
• Authentication Context: Adds login-related information, such as time of authentication and authentication methods

OAuth and OpenID Connect - 4

• The client sends an authorization request, including the openid scope
• The authorization server authenticates the user.
• An ID token and an access token are issued
• The client uses the ID token to verify user identity and the access token for resource access

OAuth and OpenID Connect - 5

• OAuth 2.0 for token-based API authentication used to secure APIs
• Single Sign-On is enabled with OIDC for seamless authentication
• On-premises Active Directory is bridged with Azure AD
• Third-Party App Integration allows secure access to services using OAuth/OIDC

OAuth and OpenID Connect - 6

• Security eliminates credential sharing across applications, therefore more secure
• Scales easily on-premises & in the cloud
• Enables Single Sign-On for seamless user access, making a better user expirience
• Widely adopted across platforms = Standardization
• Managing tokens, token revocation and complexity with integration can be a challenge

Description

Explore the characteristics, vulnerabilities, and differences between basic and NTLM authentication methods. Understand the security concerns associated with each and when NTLM authentication is appropriate. Learn why migrating from NTLM to modern protocols is crucial for enhanced security.