Re: Kerberos pre authentication question
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Jun 2006 09:43:25 -0500
Switching it off increases the risk of offline guessing of passwords.
Whether that risk is significant or not depends in part on your password
policy and likelihood that someone on your network would attempt that. If
password complexity is required, users must use passwords of reasonable
length of say at least ten characters, and they need to change their
passwords periodically that risk will be greatly reduced and if the accounts
that it is disabled on do not include privileged accounts that will be
better yet. The link below explains more. --- Steve
http://www.windowsitlibrary.com/Content/617/06/6.html
Kerberos preauthentication data
Preauthentication is a feature introduced in Kerberos version 5. With
pre-authentication data, a client can prove the knowledge of its password to
the KDC before the TGT is issued. In Kerberos version 4 anyone, including a
hacker, can send an authentication request to the KDC; the KDC doesn't care.
It doesn't even care about authenticating the client: Authentication is
completely based on the client's ability to decrypt the packet returned from
the KDC using its master key.
Preauthentication also lowers the probability for an offline
password-guessing attack. Without preauthentication data, it is easy for a
hacker to do an offline password-guessing attack on the encrypted packets
returned from the KDC. During an offline password-guessing attack a hacker
intercepts an encrypted packet, takes it offline, and tries to break it
using different passwords. (This is also known as a brute-force attack,
where a hacker tries out different keys [in this case passwords] to decrypt
a packet until he or she finds the right key that decrypts the packet in
cleartext.) To augment his chances, a hacker can even send out a dummy
request for authentication; each time he or she will get back another
encrypted packet, which means the hacker gets another chance to do a
brute-force attack on the encrypted packet and to guess the user's master
key.
In a regular logon session the preauthentication data consist of an
encrypted time stamp. When logging on using a smart card, the
preauthentication data consist of a signature and the user's public key
certificate. In Windows 2000 preauthentication is the default. An
administrator can turn it off using the Don't require Kerberos
preauthentication check box in the account options. This might be required
for compatibility with other implementations of the Kerberos protocol.
Preauthentication affects the content of a ticket: every ticket contains a
special flag to indicate the use or non-use of preauthentication.
"Andy123" <Andy123@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:59D3AD19-1020-4ECA-AD95-F3C32A0CCA58@xxxxxxxxxxxxxxxx
Hi, Can anyone help me on this one.
What are the security risks of switching of kerberos pre authentication?
The reason for this question is that our VPN3000 concentrator does not
support pre authentication.
However before we go switch off pre auth i would like to get your view on
the risks, if any?
--
Thanks
Andy
.
- Prev by Date: Re: Cannot update hosts file.
- Next by Date: Re: Local System Account & Network Access
- Previous by thread: Cannot update hosts file.
- Next by thread: View a certificate
- Index(es):
Relevant Pages
|
