I am an IT auditor in my company and am having problems convincing our application development team not to rely on NT authentication as a matter of convenience for users. My argument is that the NT ID/password is meant to validate a user before allowing access to resources like file and print services, not for single sign-on to business applications. NT authentication is also a favorite target for hackers. My questions are the following:
1)How is allowing access to any application -- once someone is authenticated as a valid NT user -- different from the single sign-on solution?
2)Are NT passwords really that much easier to crack than passwords on other platforms? Is there any Web site I can refer to that compares OS passwords?
3)Is it the trend these days to rely on NT authentication? (i.e. Am I too paranoid over the use of NT passwords?)
Hope to get some advice soon. Thanks.
1) NT authentication can be used to allow or disallow access to a particular application. If that application has the proper hooks, it can use that same information to control access within the application. However, in many cases the applications have no such capability. Thus, this really isn't an "either/or" situation. It really depends on how tightly an application is integrated with the underlying OS security mechanisms whether or not single sign-on is even possible.
2) Prior to SP4 (service pack 4), Windows NT routinely used a LAN manager hash along with the NT hash. The LAN manager algorithms are significantly weaker than the NT algorithms and are used for backwards compatibility with Win98, Win95, Win 3.1 and even DOS. The two hashes were derived from the two halves of the NT password. An attacker could use the information gained from breaking the weaker LAN manager password to break the stronger NT password hash. In an environment that is all NT and Win2K, it is possible to disable the LAN manager passwords. See this Microsoft article.
3) You are not too paranoid over the use of passwords in general (not just NT). Users routinely pick poor passwords. You can use NT tools to set maximum and minimum password lengths, time between changes and other settings. You can also use the NSA guidelines for securing Windows NT. Check out their online info here. That NSA page also has guides for Win2K, WinXP, Cisco Routers and more. In addition, to increase security, you should consider alternative authentication systems such as those that use tokens (smart cards and other devices), public key certificates or biometrics. There are also third-party tools to help with the single sign-on problem.
For more info on this topic, check these SearchSecurity.com resources:
This was first published in June 2003