S 2.412 Authentication protection when using Active Directory
Initiation responsibility: Head of IT
Implementation responsibility: Administrator
The Active Directory acts as a central component in the network. In order to be able to guarantee trusted communication between the affected subscribers in the network, it is necessary to ensure the security and reliability of the authentication and authorisation procedures used to access network resources.
In order to provide the Active Directory authentication with the highest possible level of protection, the LAN Manager authentication should be disabled and the Server Message Block data traffic (SMB data traffic) between the domain controllers and between the domain controllers and computers in the domain should be signed. Furthermore, any pre-Windows-2000-compatible accesses should be disabled and anonymous access to the domain controller should be restricted.
A high level of security can only be attained if all domain controllers, member servers, and workstations support the NTLMv2 (NT LAN Manager Version 2) authentication protocol. NTLMv2 is available by default in Windows NT 4.0 SP4 and higher (see also S 5.123 Securing network communication under Windows). Older authentication protocols from earlier versions of Windows only offer a low level of security. The LAN Manager authentication protocol (LM), for example, stores the account passwords in an insecure LM hash format. The passwords for the Windows NT LAN Manager (NTLM) and NT LAN Manager Version 2 (NTLMv2) authentication protocols are stored using the NTLM hash format. The NTLM hash is cryptographically stronger than the LM hash format.
The SMB protocol forms the foundation for sharing files and printers in Microsoft Windows, as well as for many other network operations such as remote administration of Windows. In order to prevent man-in-the-middle attacks (see T 5.143 Man-in-the-middle attack) where SMB packets are changed during transmission, for example, the SMB protocol supports digital signatures for SMB packets.
Some operating systems and applications that were developed for Windows operating systems before the release of Windows 2000 require anonymous access to other servers and domain controllers, e.g. the spooler service in Windows NT 4.0 requires anonymous access to remote printers. Anonymous access is also needed to configure trust relationships between Windows NT 4.0 domains and Windows 2000 domains. In order to obtain the highest level of security possible, anonymous access to domain controllers and to the Active Directory data should be strictly prohibited.
These steps may cause disruptions to the operation of the network when earlier versions of the Windows client and Windows server operating systems are used, e.g. Windows 95, Windows 98, Windows Millennium Edition, and Windows NT 4.0, since these versions do not support the safeguards mentioned above or only to a limited extent. For this reason, it is not always possible for availability reasons to disable the insecure LAN Manager authentication, to sign the SMB data traffic, and to prohibit anonymous accesses to domain controllers. In such cases, the corresponding requirements of the services and programs requiring anonymous access for their operation must be weighed against the security advantages they provide. The decisions made must be documented along with any residual risks and they also need to be signed by the Head of IT.
If the server environment consists of different Windows operating systems, the security recommendations described in safeguard S 4.314 Secure policy settings for domains and domain controllers must be adapted accordingly so that they are compatible with the earlier versions of Windows.
Review questions:
- Is the NTLMv2 authentication protocol used consistently in the Active Directory environment?
- Has LAN Manager authentication been disabled and is the SMB data traffic signed?
- Are anonymous accesses to the domain controllers prohibited?