Network Authentication in Windows 2000 | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

Although Windows 2000 provides support for several authentication methods, only NTLM and Kerberos authenticate network users. Other methods authenticate dial-in users and users who access the network over the Internet, such as those accessing a Web or File Transfer Protocol (FTP) site.

The two supported network authentication methods in Windows 2000 are:

NTLM Windows NTLM was the default network authentication protocol in Windows NT 4.0 and can be used, by default, by all legacy Windows clients. While support for NTLM is provided in Windows 2000 to enable authentication for legacy clients, it is not the recommended authentication protocol.
Kerberos v5 The Kerberos protocol was created in the late 1980s by a team of engineers at the Massachusetts Institute of Technology (MIT) and is widely accepted as the de facto standard for network authentication. Kerberos was originally designed for use on UNIX networks, but Microsoft included support for it in Windows 2000, following the specifications outlined in RFC 1510. Kerberos is the recommended network authentication protocol in pure Windows 2000 environments, due to its superior features as compared to NTLM.

By default, Kerberos is used for all network authentications in Windows 2000, except in the following situations:

Windows 3.x, Windows 9.x, and Windows NT computers use NTLM for network authentication in Windows 2000 domains
Windows 2000 computers use NTLM when authenticating to Windows NT 4.0 servers
Windows 2000 computers use NTLM when accessing resources in Windows NT 4.0 domains
Logging in locally to a Windows 2000 computer, where authentication is performed against the local Security Accounts Manager (SAM) instead of the Active Directory database

NTLM

NTLM is the mainstay of Windows NT and was once considered a relatively powerful protocol. However, NTLM suffers compared to Kerberos for several reasons:

Authentication with NTLM is slower.
NTLM performs one-way authentication only, which allows server spoofing.
NTLM trusts are one-way and non-transitive and thus harder to manage.
NTLM is proprietary and incompatible with non-Microsoft networks.

However, NTLM is necessary for establishing trusts with NT domains and for authenticating down-level NT clients. LAN Manager (LM) is used for authenticating Windows 3.x and Windows 9.x clients. By default, Windows 2000 is installed in mixed mode, meaning it can use any combination of Windows NT 4.0 and Windows 2000 domain controllers. After upgrading all of their computers (domain controllers and clients) to Windows 2000, security analyst's can disable LM and NTLM authentication, thereby increasing their overall authentication security.

Note

Windows 95, Windows 98, and Windows NT 4.0 clients running the directory services client (dsclient.exe) can use NTLMv2 for authentication. The Windows 9.x directory services client is located in the clients\win9x folder on the Windows 2000 Server CD-ROM. The Windows NT 4.0 directory services client can be downloaded from http://support.microsoft.com/default.aspx?scid=KB;en-us;288358. Microsoft has not produced a version of the dsclient specifically for Windows Me and does not support using the dsclient on Windows Me.

Kerberos

Kerberos is the default network authentication method in Windows 2000 because it is more secure, flexible, and efficient than NTLM. Using Kerberos instead of NTLM provides the following benefits to networks:

Increased Efficiency When using NTLM for network authentication, each network resource must contact a domain controller to authenticate each client. When Kerberos is used, the network resource no longer needs to contact the domain controller because the client presents all of the identifying information required when resource access is requested. Additionally, clients receive identification of a network resource the first time they access it during a logon session, and store the information for the rest of that logon session.
Mutual Authentication NTLM allows clients to be identified by the network resources they are attempting to access, however, it does not provide for identification of the network resource by the client. Additionally, NTLM does not provide a means for one network resource to verify the identity of another network resource. NTLM assumes that all servers are legitimate and authorized, thus providing a large security gap for an attacker to take advantage of. In contrast, Kerberos assumes all communications occur over an untrusted network, thus ensuring that both sides of a connection are authenticated to the other.
Delegation of Authentication Kerberos includes a proxy mechanism that allows it to act as the client when attempting to connect to back-end server in a multitiered server arrangement. There is no provision for this in NTLM.
Simplified Trusts In NTLM, an administrator has to manually configure a complex series of one-way non-transitive trusts between Windows NT domains within an organization. Kerberos simplifies this task by automatically creating two-way transitive trusts between root domains in a forest and between a parent and child domain. With this arrangement, the security credentials of any security authority (the Key Distribution Center [KDC]) in any location in the domain are accepted throughout the rest of the domain automatically. In cases where more than one domain exists, the same holds true for the entire forest.
Compatibility Many operating systems rely on Kerberos v5 for network authentication. Compatibility is assured as long as the connecting operating systems are fully Kerberos v5-compliant (Windows 2000 is). NTLM is not compatible with any non-Windows operating system.