Kerberos versus NTLM: A Comparison of Authentication Protocols

NTLM’s Weaknesses

NTLM, the authentication protocol introduced by Microsoft in the 1990s, has several behaviors that make it a hacker’s paradise. First, it lacks password security, making it an easy target for attackers. Moreover, NTLM does not require a local connection to a Windows Domain, allowing users to authenticate without being connected to the network. This can be problematic when using a local account or when the intended target server is unknown.

Additionally, NTLM is an outdated protocol that was designed before Active Directory was introduced. As a result, it does not support modern cryptographic techniques, making its simple unsalted hashing system trivially easy to break and decode. This lack of security makes NTLM a less desirable choice for authentication.

Kerberos: A Secure Alternative

Kerberos, on the other hand, is a modern authentication protocol that is designed with security in mind. It is the default choice for authentication on Windows Server 2000 and later versions. Kerberos uses a two-part process that leverages a ticket granting service or key distribution center, making it secure by design.

Unlike NTLM, Kerberos is resistant to attacks and provides a more secure way to authenticate users. It is also more efficient than NTLM, as it only requires a single round-trip to the authentication server, rather than the three-way handshake used by NTLM.

Why NTLM Remains in Use

Despite its security weaknesses, NTLM remains in use due to its ease of implementation. Kerberos can be more complex to set up and configure, which can be a barrier to adoption. Additionally, NTLM is often used as a fallback authentication protocol when Kerberos fails, which can make it difficult to completely eliminate from use.

Furthermore, local users still make up a significant portion of NTLM usage, making it difficult to completely eliminate. Microsoft has stated that it will continue to support legacy security configurations, including NTLM, in order to accommodate these users.

Fallback to NTLM

Another reason why NTLM remains in use is because it is often used as a fallback authentication protocol when Kerberos fails. For example, when using Remote Desktop Services, the protocol can often fallback to NTLM. This can make it difficult to completely eliminate NTLM from use.

Conclusion

In conclusion, Kerberos is a more secure and efficient authentication protocol than NTLM. While NTLM may remain in use due to its ease of implementation and fallback capabilities, it is essential to transition to Kerberos to ensure the security of your network.

FAQs

Q: What is the main difference between Kerberos and NTLM?

A: Kerberos is a more secure and efficient authentication protocol that uses a two-part process, while NTLM is an outdated protocol that lacks password security and supports.

Q: Why is NTLM still in use?

A: NTLM is still in use due to its ease of implementation and fallback capabilities. Additionally, local users still make up a significant portion of NTLM usage, making it difficult to completely eliminate.

Q: What are the security weaknesses of NTLM?

A: NTLM lacks password security and does not support modern cryptographic techniques, making its simple unsalted hashing system trivially easy to break and decode.

Q: Is Kerberos more secure than NTLM?

A: Yes, Kerberos is more secure than NTLM due to its use of modern cryptographic techniques and its two-part process.