Advantages and disadvantages of the various techniques of Windows authentication

The widespread combination of username and password in order to log in to an operating system or a service does not offer sufficient security against hackers, Trojans and other information spies. Windows-authentication can now be carried out significantly more securely with two-factor authentication.

Authentication serves to prove your identity to an operating system like Windows, a service or a network resource. The goal of a secure login is to ensure that it really is the actual person who is logging in. A password is enough for a simple login, whereas more effective security mechanisms make additional use of, for example, a token, a certificate or biometric information, in order to verify identity. When a hardware token like the one CosmoKey has developed is used, this is an instance of so-called two-factor authentication.

Windows is the most important operating system for both home users and businesses. It is hard to avoid coming into contact with Windows authentication. Microsoft has implemented an extensive architecture with which protocols such as Kerberos, NTLM (NT Lan Manager), and Digest as well as the security protocol familiar from the internet, SSL (Secure Sockets Layer), and TLS (Transport Layer Security) can be used. The Windows authentication based thereon makes it possible for users to have secure access to all the authorised resources in a business. Below we give a short overview of the most important mechanisms utilised for the authentication of people and services.

For authentication within an Active Directory Domain the previously mentioned Kerberos is generally utilized. This authentication client is usually implemented as a Security Support Provider (SSP) and is accessible over the SSPI (Security Support Provider Interface). Special attention should be paid to the fact that initial authentication of users is integrated directly into the Windows login architecture for once off login. This has the advantage that a user does not have to log in repeatedly when he wants to use various services and resources in a domain. Kerberos thus manages its login information throughout the entire structure. For this reason Kerberos’ The Key Distribution Centre (KDC) is also integrated into other Windows security services.

The following should be noted: a login over NTLMv2 is no longer secure and for this reason it should no longer be used. Already several years ago the developer Marsh Ray highlighted several gaps in NTLMv2 in a talk at the Usenix conference. Thus it should be possible for attackers to intercept the transmitted login data and then take advantage of it for their own personal logins. In this respect you will benefit from the fact that NTLM does in fact encrypt the data, although it is not safe from so-called reflection and replay attacks.

For safe authentication on web services SSL/TLS is also used. Every user who visits, for example, his bank’s website over an encrypted HTTPS connection is familiar with this protocol. With the protocol not only can you use encrypted connections, you can also carry out client access on a secured website. Thus it is also used for secured remote access to firms’ databases, for example. With TLS one should be careful to use the newest version (currently 1.2), as versions before 1.0 are no longer secure. If a password is stolen, however, even the most sophisticated protocols cannot protect against the possibility of attackers using the stolen password to infiltrate foreign systems. It is better to employ an additional factor which is not so easily spied on.

The descriptions above show that a login where only a login name and password are required should no longer be considered truly secure. Instead, a second factor, external to the system, is needed to further secure access. This applies not only for older Windows systems, but also for Microsoft’s new Windows 10. Windows 10 can also be operated much more securely with a hardware token such as the one offered by CosmoKey. This modern two-factor authentication is not only secure but also user-friendly and cost-effective. Current tokens are about the size of a car key, and work with the press of a button.

Bitte um den ersten Kommentar.

You must be logged in to post a comment.