RE: Windows NTFS Authentication Caching

From: Alex Collins (ALEX.COLLINS@INNOGY.COM)
Date: 11/02/01


Message-ID: <7B079BF69C9BD511AACD00A0244A645A39E517@trn2605.natpower.co.uk>
From: Alex Collins <ALEX.COLLINS@INNOGY.COM>
To: 'leon' <leon@inyc.com>, cstettler@gpu.com, security-basics@securityfocus.com
Subject: RE: Windows NTFS Authentication Caching
Date: Fri, 2 Nov 2001 10:16:21 -0000 

I believe Carol means that they have an NT Box running IIS as their
webserver.

IIS has been configured to require NT Challenge-Response Authentication, and
NOT to allow anonymous access or Basic HTTP authentication.

HTTPS is being used.

The question was whether logon information is cached on the home-users
machine.

My knowledge on this exact scenario is sketchy, I have never tried this
combination...
If the user is presented with a standard login box when they connect, this
will offer a "save password" box. If this is checked then the username /
password MUST be saved in some format.

As NT Challenge-Response is being used, the password is first converted to a
one-way hash. This hash is stored on the server. This is likely what is
stored on the client as it is obviously slightly more secure than a
plaintext password. The hash is then encrypted with the "challenge" sent by
the server, if the hash / challenge combos match on the server and client,
you are authenticated. This challenge should be unique and random -
generated for the HTTPS session you are login in over.

For standard windows 9x the passwords are stored IIRC in a *.pwl file in the
windows directory. These can be recovered, and there are free utilities to
do this - some viruses do this and email the lists home...

If the password is stored in the hash form, it is non-recoverable. However
you can brute force it - generate hashes until the same hash is produced -
you then know the password. If it is stored in the pwl file then the hash -
or plaintext, can be recovered.

So it would be possible for someone to gain login information if the home PC
is compromised. However if the home PC is compromised, then it would be
easier to have a keysniffer running than waste time brute forcing a hash.
But users do use the same passwords for many things - one of the simple ones
for dialup etc in the pwl files may be their work password...

Alex Collins

****************************************************************************
The information contained in this email is intended only for the
use of the intended recipient at the email address to which it
has been addressed. If the reader of this message is not an
intended recipient, you are hereby notified that you have received
this document in error and that any review, dissemination or
copying of the message or associated attachments is strictly
prohibited.

If you have received this email in error, please contact the sender
by return email or call 01793 877777 and ask for the sender and
then delete it immediately from your system.

Please note that neither Innogy nor the sender accepts any
responsibility for viruses and it is your responsibility to scan
attachments (if any).
*****************************************************************************



Relevant Pages

  • Re: Password Security in Windows 2000
    ... I believe that is possible if you leave the default authentication / ... hash method be increased to something stronger like NTLM... ... with Windows 2000 and might be available for download at ... > 2000 Server/Exchange 2000 server? ...
    (microsoft.public.win2000.security)
  • Re: Restricting Access to certain pages
    ... > I have an issue with an internal web server we have ... > The site is running fine without authentication, ... Configure IIS 5.0 Web Site Authentication in Windows 2000 ... http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS ...
    (microsoft.public.inetserver.iis.security)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.windows.server.security)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)