RE: NTLM Authenthication,

[Shaon Diwakar <shaon.diwakar () yahoo com au>]

Hi, 

I'd agree with Eric here; on previous penetration
tests I have seen applications solely using NTLM
authentication.

However as both Eric and Amit have pointed out, the
ideal situation would require that the application
uses NTLM authentication in addition to typical forms
based log-on.

While NTLM is good to use as another control
mechanism, it is possible to spoof another user
(assuming that you have knowledge of their LAN
ID/Pass) using proxies like Burp and thus gaining the
privileges/access rights of that user.

It could be better to have the application using some
type of interface to AD in its business logic as
opposed to using NTLM as the primary method of access
control. 

Cheers,
sHz


--- "McCarty, Eric C." <emccarty () er ucsd edu> wrote:

> This is a pretty common method for access control.
> Using integrated
> authentication such as active directory you can
> avoid maintaining
> multiple user account databases. In addition you can
> reduce
> administrative overhead by assigning access based of
> accounts you are
> already familiar with.
>
> I imagine there is some type of persistent token
> that the user receives
> such as a session ID that would keep the App from
> re-applying
> authentication logic to each page. For example you
> create groups within
> the application that you add NT Users to, (Admins,
> Power Users, Users,
> etc.) that dictate level of access within the
> application. Once
> authenticated the app provides some token to keep
> this access persistent
> within the application.
>
> It would only be traffic intensive if it
> re-authenticated every page,
> this would be slower, yes, but not significantly
> unless it was a heavy
> usage application with slow DC's. 
>
> Eric McCarty
> CISSP, CISA, Security+, MCSE ....
>
>
> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]
> On Behalf Of IRM
> Sent: Wednesday, February 28, 2007 4:58 AM
> To: webappsec () securityfocus com
> Subject: NTLM Authenthication,
>
> Dear all,
>
> On my Web Pen test, I have seen one application that
> relies on the NTLM
> Auth for the authorization. The thing is I have seen
> many people rely on
> the NTLM Authentication to segregate access at the
> file level but not at
> the business logic level. 
>
> So yesterday, I have seen one application that uses
> NTLM authorization
> to segregate user access at the business logic
> layer.
>
> What I mean by that is that instead of using cookies
> and session ID, 
> Say that test.ASP has menu A, B and C.
>
> User X can access Menu A, B and C on and the
> test.ASP
> And 
> User Y can access Menu A, B on the test.ASP by using
> NTLM Authentication
> for the authorization.
>
> I would have thought that this provides more secure
> environment compared
> to the form authentication by cookies, etc. As for
> accessing the pages
> it will do challenge response thingy...  However, I
> think the down side
> for this app is that it will be traffic intensive
> and it is not good
> design for traffic intensive application especially
> when the bandwidth
> is an issue.
>
> Any Thought About this particular design?
------------------------------------------------------------------------
> -
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack
> Attacks
> Hackers continue to add billions to the cost of
> doing business online 
> despite security executives' efforts to prevent
> malicious attacks. This 
> whitepaper identifies the most common methods of
> attacks that we have
> seen, 
> and outlines a guideline for developing secure web
> applications. 
> Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHe
>
------------------------------------------------------------------------
> --
-------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack
> Attacks
> Hackers continue to add billions to the cost of
> doing business online
> despite security executives' efforts to prevent
> malicious attacks. This
> whitepaper identifies the most common methods of
> attacks that we have seen,
> and outlines a guideline for developing secure web
> applications.
> Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHe
>
--------------------------------------------------------------------------
>


-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in 
the development of any web application. What methodology should be 
followed? What tools can accelerate the assessment process? 
Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHK
--------------------------------------------------------------------------