An Introduction to NTLM (NT Lan Manager) and its Overview.
LM\NTLM has been used as an authentication protocol in windows family since beginning. Lets walk back to get a clear picture about its evolution.
1.LM (Lan Manager)
This was the first form of secured versions of authentication protocols used by windows family since windows 95 and 98. However this version is rarely used and is now considered as one of the least secured in its type.
2. NTLM Version 1 – A better version of LM available with Windows NT and above. An authentication protocol considered as more improved and secured than LM, since it closed up a major security flaws present in LM.
3. NTLM Version 2 – The Most secured version in its family which is currently supported by Windows NT with SP4 and all above version of Windows Operating Systems.
*Windows Server 2008 and Vista uses NTLMV2 as a fallback authentication when a client cannot authenticate using Kerberos.
By Default, all three versions of NTLM are available in the Active Directory domain Environment so as to facilitate the service to down level clients.
Let me give you a logical overview of how NTLM typically works
Scenario 1. – Logon to your desktop or server.
• When you enter your credentials in the logon window, Winlogon uses GINA to send this logon information to the Local Security Authority for processing.
*The GINA is a DLL module that operates in the security context of Winlogon. Winlogon loads the GINA early in the boot process (%windir%\System32\Msgina.dll) is the default GINA; it can be replaced to support specific and unique authentication methods.
• The LSA uses local computer SAM (System Account Manger) database if the account and target name is indentified as local computer. In Active Directory domain scenario LSA uses the netlogon service to query the domain SAM on the DC. *The LSA (%windir%\System32\lsass.exe) is a protected security subsystem that helps create secure user interactions in Windows
*The SAM stores information about local user accounts in the Windows registry. Passwords in SAM are encrypted by the NTLM authentication package. The outcome of the encryption is a hashed password transformed into ciphertext. NTLM uses the same algorithm to encrypt and decrypt a user’s password.
• Once the logon information is identified as correct, and then SAM sends an acceptance message to LSA containing user account SID and SIDs of all groups associated with that account. Using this info an access token is created by the LSA.
• Winlogon then starts up the User Interface and attaches that token to all the current processes.(except the ones that are created using run as to run under separate security account)
Scenario 2. – NTLM process on accessing a shared resource.
1.User tries to access the shared resource using it credentials. Client sends this username along with the request to the server (on which the resource resides)
2.The Server generates a 16 bit random number called Challenge and sends it to client.
3.Client sends an encrypted response back to the server.
4.The server sends the user name, the original challenge, and the response from the client computer to the domain controller.
5.Domain controller compares challenge and response to authenticate user. If they match, the domain controller sends the server confirmation that the user is authenticated
6.Assuming valid credentials, the server grants the client access to the requested service or resource.