Now More Secure with Kerberos Authentication for WMI, SMB, and Windows Remote Login
Dear JDisc friends,
an issue in JDisc Discovery has been its reliance on the NTLM protocol for authenticating access credentials to Windows directory or domain member computers, rather than leveraging the more secure Kerberos protocol.
This issue arose because the discovery process accessed Windows directory or domain member computers exclusively through their IPv4 or IPv6 addresses. While this approach was convenient for the architecture and design of the discovery process, it introduced both security and functionality risks, especially if NTLM was disabled.
What’s New?
Beginning with version 5.0 Build 5217, JDisc Discovery will utilize the Kerberos authentication protocol for Windows directory or domain member computers, replacing NTLM as the default authentication method.
What’s the Problem with the NTLM Authentication Protocol?
NTLM is a legacy Microsoft authentication protocol that has several known vulnerabilities and attack vectors. However, NTLM is still commonly used and there are applications that do not support the Kerberos protocol.
If you want to know more about it, just ask chatgpt (“Please list NTLM authentication protocol known vulnerabilities and attack vectors”) for a compilation of known vulnerabilities and attack vectors. At the time of writing this blog entry the results listed about 16 known vulnerabilities and attack vectors. Chatgpt will also propose some mitigation strategies.
How to Mitigate Your Risk And Vulnerabilities
To mitigate these known NTLM vulnerabilities and attack vectors, please consider adjusting the following Windows settings and policies:
- Enforce Kerberos authentication over NTLM where possible
- Disable NTLMv1 and restrict the use of NTLMv2
- Require SMB signing and enforce message integrity
Configuration Requirements for Enabling Kerberos Authentication in JDisc Discovery
Fortunately, no specific configuration is required to enable Kerberos authentication. However, there is a small caveat: Kerberos authentication depends on a properly configured DNS environment. This is nothing new as JDisc Discovery needs forward and reverse DNS lookup anyway to make the Windows directory and domain discovery work.
Further Reading
Microsoft provides a concise article on The evolution of Windows authentication you might find useful. If you’re not yet convinced about the advantages of Kerberos over NTLM, you can explore additional arguments on The Hackers Recipes.
Cheers Thomas