Is there a security concern exposing NTLM authentication over http or should it only be https? ...
How can the PCs determine if an item is a phylactery?
Is it correct to say moon starry nights?
How to pronounce fünf in 45
Is it possible to create a QR code using text?
What happens if you break a law in another country outside of that country?
How to compactly explain secondary and tertiary characters without resorting to stereotypes?
Finitely generated matrix groups whose eigenvalues are all algebraic
Creating a script with console commands
Is the 21st century's idea of "freedom of speech" based on precedent?
How did scripture get the name bible?
Can Sri Krishna be called 'a person'?
Why do we say “un seul M” and not “une seule M” even though M is a “consonne”?
Can a PhD from a non-TU9 German university become a professor in a TU9 university?
Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere?
Could a dragon use hot air to help it take off?
Would a grinding machine be a simple and workable propulsion system for an interplanetary spacecraft?
Read/write a pipe-delimited file line by line with some simple text manipulation
Prodigo = pro + ago?
How seriously should I take size and weight limits of hand luggage?
Does the Idaho Potato Commission associate potato skins with healthy eating?
Early programmable calculators with RS-232
That's an odd coin - I wonder why
Calculating discount not working
Arrows in tikz Markov chain diagram overlap
Is there a security concern exposing NTLM authentication over http or should it only be https?
The Next CEO of Stack OverflowPublic key authentication or similar over HTTP/HTTPS?Active Directory users not listed when trying to add users to SharePoint Foundation 2010Best practices for LDAP and DMZHTTP digest authentication vs. HTTPS basic authenticationDomain accounts cannot log into this website - why?Nginx Reverse Proxy Will Not Load HTTPS SitesSecurity certificate only displays with HTTPS and not HTTPHTTP over port 443 vs HTTPS over port 80Unable to login via PAM and ldap: failed to get passwordPrevent mixed content warnings by redirect ALL requests to https on apache
We are setting up a SharePoint 2010 site. Don't worry, this is not a Sharepoint question, just adding it for context. Most of the site will be anonymous, but some users are able to authenticate in and edit content. They use NTLM (users exist in AD). Is there any concern about exposing NTLM login for users that can modify content over the internet via http or should that only be exposed via https?
security active-directory http https
asked May 5 '11 at 13:05
ShaneShane
15827
add a comment |
We are setting up a SharePoint 2010 site. Don't worry, this is not a Sharepoint question, just adding it for context. Most of the site will be anonymous, but some users are able to authenticate in and edit content. They use NTLM (users exist in AD). Is there any concern about exposing NTLM login for users that can modify content over the internet via http or should that only be exposed via https?
security active-directory http https
asked May 5 '11 at 13:05
ShaneShane
15827
1
FYI, NTLM is deprecated. Microsoft recommends Kerberos instead (which is safe to use over plaintext protocols).
– grawity
May 5 '11 at 13:37
1
And to add to what @grawity said, any users behind certain proxies and filters (squid is one I know of for sure) won't be able to log in with NTLM authentication.
– KJ-SRS
May 5 '11 at 14:07
And before you ask, one can use Kerberos over HTTP, and SharePoint supports it.
– grawity
May 5 '11 at 14:13
More clarification, we are using NTLMv2
– Shane
May 5 '11 at 14:33
1
@KJ-SRS: As long as a proxy supports HTTP/1.1 it won't present a problem using NTLM authentication.
– Evan Anderson
May 5 '11 at 14:43
add a comment |
We are setting up a SharePoint 2010 site. Don't worry, this is not a Sharepoint question, just adding it for context. Most of the site will be anonymous, but some users are able to authenticate in and edit content. They use NTLM (users exist in AD). Is there any concern about exposing NTLM login for users that can modify content over the internet via http or should that only be exposed via https?
security active-directory http https
asked May 5 '11 at 13:05
ShaneShane
15827
We are setting up a SharePoint 2010 site. Don't worry, this is not a Sharepoint question, just adding it for context. Most of the site will be anonymous, but some users are able to authenticate in and edit content. They use NTLM (users exist in AD). Is there any concern about exposing NTLM login for users that can modify content over the internet via http or should that only be exposed via https?
security active-directory http https
security active-directory http https
asked May 5 '11 at 13:05
ShaneShane
15827
asked May 5 '11 at 13:05
ShaneShane
15827
asked May 5 '11 at 13:05
ShaneShane
15827
asked May 5 '11 at 13:05
ShaneShane
15827
asked May 5 '11 at 13:05
ShaneShane
15827
15827
1
FYI, NTLM is deprecated. Microsoft recommends Kerberos instead (which is safe to use over plaintext protocols).
– grawity
May 5 '11 at 13:37
1
And to add to what @grawity said, any users behind certain proxies and filters (squid is one I know of for sure) won't be able to log in with NTLM authentication.
– KJ-SRS
May 5 '11 at 14:07
And before you ask, one can use Kerberos over HTTP, and SharePoint supports it.
– grawity
May 5 '11 at 14:13
More clarification, we are using NTLMv2
– Shane
May 5 '11 at 14:33
1
@KJ-SRS: As long as a proxy supports HTTP/1.1 it won't present a problem using NTLM authentication.
– Evan Anderson
May 5 '11 at 14:43
add a comment |
1
FYI, NTLM is deprecated. Microsoft recommends Kerberos instead (which is safe to use over plaintext protocols).
– grawity
May 5 '11 at 13:37
1
And to add to what @grawity said, any users behind certain proxies and filters (squid is one I know of for sure) won't be able to log in with NTLM authentication.
– KJ-SRS
May 5 '11 at 14:07
And before you ask, one can use Kerberos over HTTP, and SharePoint supports it.
– grawity
May 5 '11 at 14:13
More clarification, we are using NTLMv2
– Shane
May 5 '11 at 14:33
1
@KJ-SRS: As long as a proxy supports HTTP/1.1 it won't present a problem using NTLM authentication.
– Evan Anderson
May 5 '11 at 14:43
1
1
FYI, NTLM is deprecated. Microsoft recommends Kerberos instead (which is safe to use over plaintext protocols).
– grawity
May 5 '11 at 13:37
FYI, NTLM is deprecated. Microsoft recommends Kerberos instead (which is safe to use over plaintext protocols).
– grawity
May 5 '11 at 13:37
1
1
And to add to what @grawity said, any users behind certain proxies and filters (squid is one I know of for sure) won't be able to log in with NTLM authentication.
– KJ-SRS
May 5 '11 at 14:07
And to add to what @grawity said, any users behind certain proxies and filters (squid is one I know of for sure) won't be able to log in with NTLM authentication.
– KJ-SRS
May 5 '11 at 14:07
And before you ask, one can use Kerberos over HTTP, and SharePoint supports it.
– grawity
May 5 '11 at 14:13
And before you ask, one can use Kerberos over HTTP, and SharePoint supports it.
– grawity
May 5 '11 at 14:13
More clarification, we are using NTLMv2
– Shane
May 5 '11 at 14:33
More clarification, we are using NTLMv2
– Shane
May 5 '11 at 14:33
1
1
@KJ-SRS: As long as a proxy supports HTTP/1.1 it won't present a problem using NTLM authentication.
– Evan Anderson
May 5 '11 at 14:43
@KJ-SRS: As long as a proxy supports HTTP/1.1 it won't present a problem using NTLM authentication.
– Evan Anderson
May 5 '11 at 14:43
add a comment |
3 Answers
3
active
oldest
votes
You won't be exposing credentials in cleartext using NTLM over HTTP. You will be exposing everything else, so your data won't be secure from confidentiality or integrity breaches (eavesdropping or modification of the data "in flight").
answered May 5 '11 at 14:42
Evan AndersonEvan Anderson
135k14170312
That's okay, this is a public anonymous site. The only reason we need authentication is because it is a CMS, so certain users that have rights to edit content are able to log in via NTLMv2
– Shane
May 5 '11 at 14:52
add a comment |
I don't know a thing about Sharepoint, but the generic approach to it would be to put a sniffer on it. If you can see the passwords or their hashes being passed, then it's bad. If you can't see it, then you need to look into it some more, it still might be lightly obfuscated (base64 encoding or something like that).
answered May 5 '11 at 14:03
MarcinMarcin
1,89511313
"if you see it, it's bad" doesn't always apply. NTLM v2 is a challenge/response protocol, supposed to remain secure even in this case (the password hash sent cannot be reused). On the other hand, authentication mechanisms very often have subtle flaws unnoticeable through simple visual grep of packets. (You cannot see the difference between a chunk of AES ciphertext and a chunk of XOR ciphertext.)
– grawity
May 5 '11 at 14:10
2
'If you see it it's bad' is true. 'If you don't see it then it's good' is not necessarily true however. With challenge/response protocols you gotta study the protocol of what is being asked and how the response is generated, then seeing if you can obtain all the necessary information. en.wikipedia.org/wiki/NTLM#NTLMv2 has the details of what gets used. Time can be closely estimated, user and domain names can be determined, so the only truly random bit is 8byte random nonce, so that can probably be guessed in not too many tries.
– Marcin
May 5 '11 at 14:55
add a comment |
NTLM over plain HTTP is insecure. Attackers that passively sniff traffic or who perform a man-in-the-middle attack can use various methods to steal or abuse credentials. For example:
NTLM relay attacks: when a user thinks they are authenticated to SharePoint, the attacker can instead forward the NTLM challenge of some other service (like Outlook/Exchange or an SMB share) in the domain, and gain access to that as well. Even when the second service is using HTTPS!
Offline dictionary attacks: after observing an NTLM challenge and response, an attacker can recompute the exchange for some password P. When it matches, it means P was the user password. The attacker can keep trying P's until the password is found. The effectiveness of this attack depends on password strength, but by using standard tools, a good dictionary and stone GPU acceleration, even moderately complex passwords can be cracked.
Session hijacking: an attacker who is just interested in SharePoint can also simply ignore the NTLM exchange and take over the users' SharePoint session (e.g. by stealing cookies or injecting JavaScript). This gives them the same read/write access as the user.
Website spoofing: am attacker can show a fake login screen asking for AD credentials. Since users probably trust SharePoint, it's not unlikely they would fill them in and thus provide the attacker with a plaintext password.
NTLMv1 downgrade: depending on the client configuration, an attacker may be able to get them to perform an NTLMv1 handshake. This has all the cryptographic weaknesses of NTLMv2 (i.e. vulnerability to dictionary and relay attacks) but after cracking a single DES key (pretty cheap and fast nowadays) it gives them access to the users' raw NT hash. A dictionary attack against this is far more efficient. Furthermore, this value can be used for a pass-the-hash attack, allowing the attacker to log in as the user (against most services) without a password.
Bottom line: treat NTLM authentication the same as authentication with plaintext credentials. In this case, this means you should use HTTPS of you want to protect against attackers on your network.
answered 6 mins ago
AardvarkSoupAardvarkSoup
101
New contributor
AardvarkSoup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f266607%2fis-there-a-security-concern-exposing-ntlm-authentication-over-http-or-should-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
You won't be exposing credentials in cleartext using NTLM over HTTP. You will be exposing everything else, so your data won't be secure from confidentiality or integrity breaches (eavesdropping or modification of the data "in flight").
answered May 5 '11 at 14:42
Evan AndersonEvan Anderson
135k14170312
That's okay, this is a public anonymous site. The only reason we need authentication is because it is a CMS, so certain users that have rights to edit content are able to log in via NTLMv2
– Shane
May 5 '11 at 14:52
add a comment |
You won't be exposing credentials in cleartext using NTLM over HTTP. You will be exposing everything else, so your data won't be secure from confidentiality or integrity breaches (eavesdropping or modification of the data "in flight").
answered May 5 '11 at 14:42
Evan AndersonEvan Anderson
135k14170312
That's okay, this is a public anonymous site. The only reason we need authentication is because it is a CMS, so certain users that have rights to edit content are able to log in via NTLMv2
– Shane
May 5 '11 at 14:52
add a comment |
You won't be exposing credentials in cleartext using NTLM over HTTP. You will be exposing everything else, so your data won't be secure from confidentiality or integrity breaches (eavesdropping or modification of the data "in flight").
answered May 5 '11 at 14:42
Evan AndersonEvan Anderson
135k14170312
You won't be exposing credentials in cleartext using NTLM over HTTP. You will be exposing everything else, so your data won't be secure from confidentiality or integrity breaches (eavesdropping or modification of the data "in flight").
answered May 5 '11 at 14:42
Evan AndersonEvan Anderson
135k14170312
answered May 5 '11 at 14:42
Evan AndersonEvan Anderson
135k14170312
answered May 5 '11 at 14:42
Evan AndersonEvan Anderson
135k14170312
answered May 5 '11 at 14:42
Evan AndersonEvan Anderson
135k14170312
135k14170312
That's okay, this is a public anonymous site. The only reason we need authentication is because it is a CMS, so certain users that have rights to edit content are able to log in via NTLMv2
– Shane
May 5 '11 at 14:52
add a comment |
That's okay, this is a public anonymous site. The only reason we need authentication is because it is a CMS, so certain users that have rights to edit content are able to log in via NTLMv2
– Shane
May 5 '11 at 14:52
That's okay, this is a public anonymous site. The only reason we need authentication is because it is a CMS, so certain users that have rights to edit content are able to log in via NTLMv2
– Shane
May 5 '11 at 14:52
That's okay, this is a public anonymous site. The only reason we need authentication is because it is a CMS, so certain users that have rights to edit content are able to log in via NTLMv2
– Shane
May 5 '11 at 14:52
add a comment |
I don't know a thing about Sharepoint, but the generic approach to it would be to put a sniffer on it. If you can see the passwords or their hashes being passed, then it's bad. If you can't see it, then you need to look into it some more, it still might be lightly obfuscated (base64 encoding or something like that).
answered May 5 '11 at 14:03
MarcinMarcin
1,89511313
"if you see it, it's bad" doesn't always apply. NTLM v2 is a challenge/response protocol, supposed to remain secure even in this case (the password hash sent cannot be reused). On the other hand, authentication mechanisms very often have subtle flaws unnoticeable through simple visual grep of packets. (You cannot see the difference between a chunk of AES ciphertext and a chunk of XOR ciphertext.)
– grawity
May 5 '11 at 14:10
2
'If you see it it's bad' is true. 'If you don't see it then it's good' is not necessarily true however. With challenge/response protocols you gotta study the protocol of what is being asked and how the response is generated, then seeing if you can obtain all the necessary information. en.wikipedia.org/wiki/NTLM#NTLMv2 has the details of what gets used. Time can be closely estimated, user and domain names can be determined, so the only truly random bit is 8byte random nonce, so that can probably be guessed in not too many tries.
– Marcin
May 5 '11 at 14:55
add a comment |
I don't know a thing about Sharepoint, but the generic approach to it would be to put a sniffer on it. If you can see the passwords or their hashes being passed, then it's bad. If you can't see it, then you need to look into it some more, it still might be lightly obfuscated (base64 encoding or something like that).
answered May 5 '11 at 14:03
MarcinMarcin
1,89511313
"if you see it, it's bad" doesn't always apply. NTLM v2 is a challenge/response protocol, supposed to remain secure even in this case (the password hash sent cannot be reused). On the other hand, authentication mechanisms very often have subtle flaws unnoticeable through simple visual grep of packets. (You cannot see the difference between a chunk of AES ciphertext and a chunk of XOR ciphertext.)
– grawity
May 5 '11 at 14:10
2
'If you see it it's bad' is true. 'If you don't see it then it's good' is not necessarily true however. With challenge/response protocols you gotta study the protocol of what is being asked and how the response is generated, then seeing if you can obtain all the necessary information. en.wikipedia.org/wiki/NTLM#NTLMv2 has the details of what gets used. Time can be closely estimated, user and domain names can be determined, so the only truly random bit is 8byte random nonce, so that can probably be guessed in not too many tries.
– Marcin
May 5 '11 at 14:55
add a comment |
I don't know a thing about Sharepoint, but the generic approach to it would be to put a sniffer on it. If you can see the passwords or their hashes being passed, then it's bad. If you can't see it, then you need to look into it some more, it still might be lightly obfuscated (base64 encoding or something like that).
answered May 5 '11 at 14:03
MarcinMarcin
1,89511313
I don't know a thing about Sharepoint, but the generic approach to it would be to put a sniffer on it. If you can see the passwords or their hashes being passed, then it's bad. If you can't see it, then you need to look into it some more, it still might be lightly obfuscated (base64 encoding or something like that).
answered May 5 '11 at 14:03
MarcinMarcin
1,89511313
answered May 5 '11 at 14:03
MarcinMarcin
1,89511313
answered May 5 '11 at 14:03
MarcinMarcin
1,89511313
answered May 5 '11 at 14:03
MarcinMarcin
1,89511313
1,89511313
"if you see it, it's bad" doesn't always apply. NTLM v2 is a challenge/response protocol, supposed to remain secure even in this case (the password hash sent cannot be reused). On the other hand, authentication mechanisms very often have subtle flaws unnoticeable through simple visual grep of packets. (You cannot see the difference between a chunk of AES ciphertext and a chunk of XOR ciphertext.)
– grawity
May 5 '11 at 14:10
2
'If you see it it's bad' is true. 'If you don't see it then it's good' is not necessarily true however. With challenge/response protocols you gotta study the protocol of what is being asked and how the response is generated, then seeing if you can obtain all the necessary information. en.wikipedia.org/wiki/NTLM#NTLMv2 has the details of what gets used. Time can be closely estimated, user and domain names can be determined, so the only truly random bit is 8byte random nonce, so that can probably be guessed in not too many tries.
– Marcin
May 5 '11 at 14:55
add a comment |
"if you see it, it's bad" doesn't always apply. NTLM v2 is a challenge/response protocol, supposed to remain secure even in this case (the password hash sent cannot be reused). On the other hand, authentication mechanisms very often have subtle flaws unnoticeable through simple visual grep of packets. (You cannot see the difference between a chunk of AES ciphertext and a chunk of XOR ciphertext.)
– grawity
May 5 '11 at 14:10
2
'If you see it it's bad' is true. 'If you don't see it then it's good' is not necessarily true however. With challenge/response protocols you gotta study the protocol of what is being asked and how the response is generated, then seeing if you can obtain all the necessary information. en.wikipedia.org/wiki/NTLM#NTLMv2 has the details of what gets used. Time can be closely estimated, user and domain names can be determined, so the only truly random bit is 8byte random nonce, so that can probably be guessed in not too many tries.
– Marcin
May 5 '11 at 14:55
"if you see it, it's bad" doesn't always apply. NTLM v2 is a challenge/response protocol, supposed to remain secure even in this case (the password hash sent cannot be reused). On the other hand, authentication mechanisms very often have subtle flaws unnoticeable through simple visual grep of packets. (You cannot see the difference between a chunk of AES ciphertext and a chunk of XOR ciphertext.)
– grawity
May 5 '11 at 14:10
"if you see it, it's bad" doesn't always apply. NTLM v2 is a challenge/response protocol, supposed to remain secure even in this case (the password hash sent cannot be reused). On the other hand, authentication mechanisms very often have subtle flaws unnoticeable through simple visual grep of packets. (You cannot see the difference between a chunk of AES ciphertext and a chunk of XOR ciphertext.)
– grawity
May 5 '11 at 14:10
2
2
'If you see it it's bad' is true. 'If you don't see it then it's good' is not necessarily true however. With challenge/response protocols you gotta study the protocol of what is being asked and how the response is generated, then seeing if you can obtain all the necessary information. en.wikipedia.org/wiki/NTLM#NTLMv2 has the details of what gets used. Time can be closely estimated, user and domain names can be determined, so the only truly random bit is 8byte random nonce, so that can probably be guessed in not too many tries.
– Marcin
May 5 '11 at 14:55
'If you see it it's bad' is true. 'If you don't see it then it's good' is not necessarily true however. With challenge/response protocols you gotta study the protocol of what is being asked and how the response is generated, then seeing if you can obtain all the necessary information. en.wikipedia.org/wiki/NTLM#NTLMv2 has the details of what gets used. Time can be closely estimated, user and domain names can be determined, so the only truly random bit is 8byte random nonce, so that can probably be guessed in not too many tries.
– Marcin
May 5 '11 at 14:55
add a comment |
NTLM over plain HTTP is insecure. Attackers that passively sniff traffic or who perform a man-in-the-middle attack can use various methods to steal or abuse credentials. For example:
NTLM relay attacks: when a user thinks they are authenticated to SharePoint, the attacker can instead forward the NTLM challenge of some other service (like Outlook/Exchange or an SMB share) in the domain, and gain access to that as well. Even when the second service is using HTTPS!
Offline dictionary attacks: after observing an NTLM challenge and response, an attacker can recompute the exchange for some password P. When it matches, it means P was the user password. The attacker can keep trying P's until the password is found. The effectiveness of this attack depends on password strength, but by using standard tools, a good dictionary and stone GPU acceleration, even moderately complex passwords can be cracked.
Session hijacking: an attacker who is just interested in SharePoint can also simply ignore the NTLM exchange and take over the users' SharePoint session (e.g. by stealing cookies or injecting JavaScript). This gives them the same read/write access as the user.
Website spoofing: am attacker can show a fake login screen asking for AD credentials. Since users probably trust SharePoint, it's not unlikely they would fill them in and thus provide the attacker with a plaintext password.
NTLMv1 downgrade: depending on the client configuration, an attacker may be able to get them to perform an NTLMv1 handshake. This has all the cryptographic weaknesses of NTLMv2 (i.e. vulnerability to dictionary and relay attacks) but after cracking a single DES key (pretty cheap and fast nowadays) it gives them access to the users' raw NT hash. A dictionary attack against this is far more efficient. Furthermore, this value can be used for a pass-the-hash attack, allowing the attacker to log in as the user (against most services) without a password.
Bottom line: treat NTLM authentication the same as authentication with plaintext credentials. In this case, this means you should use HTTPS of you want to protect against attackers on your network.
answered 6 mins ago
AardvarkSoupAardvarkSoup
101
New contributor
AardvarkSoup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
NTLM over plain HTTP is insecure. Attackers that passively sniff traffic or who perform a man-in-the-middle attack can use various methods to steal or abuse credentials. For example:
NTLM relay attacks: when a user thinks they are authenticated to SharePoint, the attacker can instead forward the NTLM challenge of some other service (like Outlook/Exchange or an SMB share) in the domain, and gain access to that as well. Even when the second service is using HTTPS!
Offline dictionary attacks: after observing an NTLM challenge and response, an attacker can recompute the exchange for some password P. When it matches, it means P was the user password. The attacker can keep trying P's until the password is found. The effectiveness of this attack depends on password strength, but by using standard tools, a good dictionary and stone GPU acceleration, even moderately complex passwords can be cracked.
Session hijacking: an attacker who is just interested in SharePoint can also simply ignore the NTLM exchange and take over the users' SharePoint session (e.g. by stealing cookies or injecting JavaScript). This gives them the same read/write access as the user.
Website spoofing: am attacker can show a fake login screen asking for AD credentials. Since users probably trust SharePoint, it's not unlikely they would fill them in and thus provide the attacker with a plaintext password.
NTLMv1 downgrade: depending on the client configuration, an attacker may be able to get them to perform an NTLMv1 handshake. This has all the cryptographic weaknesses of NTLMv2 (i.e. vulnerability to dictionary and relay attacks) but after cracking a single DES key (pretty cheap and fast nowadays) it gives them access to the users' raw NT hash. A dictionary attack against this is far more efficient. Furthermore, this value can be used for a pass-the-hash attack, allowing the attacker to log in as the user (against most services) without a password.
Bottom line: treat NTLM authentication the same as authentication with plaintext credentials. In this case, this means you should use HTTPS of you want to protect against attackers on your network.
answered 6 mins ago
AardvarkSoupAardvarkSoup
101
New contributor
AardvarkSoup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
NTLM over plain HTTP is insecure. Attackers that passively sniff traffic or who perform a man-in-the-middle attack can use various methods to steal or abuse credentials. For example:
NTLM relay attacks: when a user thinks they are authenticated to SharePoint, the attacker can instead forward the NTLM challenge of some other service (like Outlook/Exchange or an SMB share) in the domain, and gain access to that as well. Even when the second service is using HTTPS!
Offline dictionary attacks: after observing an NTLM challenge and response, an attacker can recompute the exchange for some password P. When it matches, it means P was the user password. The attacker can keep trying P's until the password is found. The effectiveness of this attack depends on password strength, but by using standard tools, a good dictionary and stone GPU acceleration, even moderately complex passwords can be cracked.
Session hijacking: an attacker who is just interested in SharePoint can also simply ignore the NTLM exchange and take over the users' SharePoint session (e.g. by stealing cookies or injecting JavaScript). This gives them the same read/write access as the user.
Website spoofing: am attacker can show a fake login screen asking for AD credentials. Since users probably trust SharePoint, it's not unlikely they would fill them in and thus provide the attacker with a plaintext password.
NTLMv1 downgrade: depending on the client configuration, an attacker may be able to get them to perform an NTLMv1 handshake. This has all the cryptographic weaknesses of NTLMv2 (i.e. vulnerability to dictionary and relay attacks) but after cracking a single DES key (pretty cheap and fast nowadays) it gives them access to the users' raw NT hash. A dictionary attack against this is far more efficient. Furthermore, this value can be used for a pass-the-hash attack, allowing the attacker to log in as the user (against most services) without a password.
Bottom line: treat NTLM authentication the same as authentication with plaintext credentials. In this case, this means you should use HTTPS of you want to protect against attackers on your network.
answered 6 mins ago
AardvarkSoupAardvarkSoup
101
New contributor
AardvarkSoup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
NTLM over plain HTTP is insecure. Attackers that passively sniff traffic or who perform a man-in-the-middle attack can use various methods to steal or abuse credentials. For example:
NTLM relay attacks: when a user thinks they are authenticated to SharePoint, the attacker can instead forward the NTLM challenge of some other service (like Outlook/Exchange or an SMB share) in the domain, and gain access to that as well. Even when the second service is using HTTPS!
Offline dictionary attacks: after observing an NTLM challenge and response, an attacker can recompute the exchange for some password P. When it matches, it means P was the user password. The attacker can keep trying P's until the password is found. The effectiveness of this attack depends on password strength, but by using standard tools, a good dictionary and stone GPU acceleration, even moderately complex passwords can be cracked.
Session hijacking: an attacker who is just interested in SharePoint can also simply ignore the NTLM exchange and take over the users' SharePoint session (e.g. by stealing cookies or injecting JavaScript). This gives them the same read/write access as the user.
Website spoofing: am attacker can show a fake login screen asking for AD credentials. Since users probably trust SharePoint, it's not unlikely they would fill them in and thus provide the attacker with a plaintext password.
NTLMv1 downgrade: depending on the client configuration, an attacker may be able to get them to perform an NTLMv1 handshake. This has all the cryptographic weaknesses of NTLMv2 (i.e. vulnerability to dictionary and relay attacks) but after cracking a single DES key (pretty cheap and fast nowadays) it gives them access to the users' raw NT hash. A dictionary attack against this is far more efficient. Furthermore, this value can be used for a pass-the-hash attack, allowing the attacker to log in as the user (against most services) without a password.
Bottom line: treat NTLM authentication the same as authentication with plaintext credentials. In this case, this means you should use HTTPS of you want to protect against attackers on your network.
answered 6 mins ago
AardvarkSoupAardvarkSoup
101
New contributor
AardvarkSoup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 6 mins ago
AardvarkSoupAardvarkSoup
101
New contributor
AardvarkSoup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 6 mins ago
AardvarkSoupAardvarkSoup
101
answered 6 mins ago
AardvarkSoupAardvarkSoup
101
101
New contributor
AardvarkSoup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
AardvarkSoup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
AardvarkSoup is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f266607%2fis-there-a-security-concern-exposing-ntlm-authentication-over-http-or-should-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
FYI, NTLM is deprecated. Microsoft recommends Kerberos instead (which is safe to use over plaintext protocols).
– grawity
May 5 '11 at 13:37
1
And to add to what @grawity said, any users behind certain proxies and filters (squid is one I know of for sure) won't be able to log in with NTLM authentication.
– KJ-SRS
May 5 '11 at 14:07
And before you ask, one can use Kerberos over HTTP, and SharePoint supports it.
– grawity
May 5 '11 at 14:13
More clarification, we are using NTLMv2
– Shane
May 5 '11 at 14:33
1
@KJ-SRS: As long as a proxy supports HTTP/1.1 it won't present a problem using NTLM authentication.
– Evan Anderson
May 5 '11 at 14:43