CHAPTER 9Authentication Protocols
Microsoft Windows supports the following authentication protocols: LAN Manager (LM), NT LAN Manager (NTLM) Version 1 and 2, and Kerberos.
In this chapter you will find information about how LM, NTLM, NTLMv2, and Kerberos protocols work and how to monitor most common scenarios involving these protocols.
NTLM-family Protocols
The NTLM-family protocols include LAN Manager (LM), NT LAN Manager (NTLM), and NT LAN Manager V2 (NTLMv2). This section explains how these protocols work and also which events are generated on different hosts during authentication using these protocols.
This section also contains information about the NTLM Security Support Provider (NTLMSSP), NTLMv1 Session Security, and NTLMv2 Session Security mechanisms.
Challenge-Response Basics
LAN Manager (LM), NT LAN Manager (NTLM), and NT LAN Manager V2 (NTLMv2) use a challenge-response mechanism for network authentication.
The NTLM-family challenge-response mechanism is just a method of credential validation via a network, without sending cleartext credentials or an original password hash over the network. NTLM-family protocols do not have any default transport protocol to carry them over a network. That is why no default ports are associated with the LM, NTLM, and NTLMv2 protocols. The most common transports for NTLM-family protocols are SMB, HTTP, and SMTP.
A basic challenge-response process flow is illustrated in Figure 9-1. It will help you to understand more detailed topics ...
Get Windows Security Monitoring now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
