I wonder if the information provided by MS here, will contribute to a rise in exploits?? Or is this already a certainty?
James Landis
· 1 year ago
I agree this is quite a bit to be excited about, but why so much hand-waving about NTLM? I thought everyone agreed that NTLM was horribly broken and Kerberos was the future of MS authentication. I'd rather they kept the details of NTLM to themselves in the hope that it might go away sooner. We've already been suffering it for 7 years.
Eric Monti
· 1 year ago
James,
Don't mean to wave my hands about NTLM, though I can see how it might seem that way. Just remarking that it is good to actually see the full spec from Microsoft along with so many other things on that site.
I agree it would be great to see it just go away. But I doubt it'll happen. Matter of fact, part of why I zoned in on NTLM is that I'm *once again* staring down implementing it in a security testing project.
Old protocols don't die, they just smell that way.
dragonfrog
· 1 year ago
Unless I'm horrendously mistaken, Kerberos only lets a domain member server confirm with a DC that a particular user has already authenticated itself to the domain.
It doesn't make NTLM go away, it just reduces the number of NTLM transactions that happen - the user still has to use NTLM to get authenticated to the DC in the first place, right?
In principle, that initial NTLM auth could be replaced with something sensible, like a plain old password over an SSL pipe; it just hasn't been.
required
· 1 year ago
Thanks for the updates on M$ OpenNESS, but ...inserted every bad thought anyone ever had about M$ ... Seriously though, this is a trojan, if you do commercial interoperability with M$, and getting docs sure opens up a can of worms with lawsuits, and '...a paycheck.' < Master plan ahead, let the suckers eat my legal lead. I won't even download their documents. The tea tax is long over, but now its the code tax that really sucks. Interesting how all this postive spin on microsoft is released, 'it made me cry...' GRR, smart people know when to save their jobs, cuts are coming sometime. When google releases a client OS integrated well with the internet, watch out M$, you been thrown into the bay.
On a positive note, I enjoy your blog and work, sometime good in this crazy business.
All Comments
On top of bookmarking the page, people should download the zip files that contain all this data in PDF... Just in case it disappears some day.
http://download.microsoft.com/download/a/e/6/ae...
http://download.microsoft.com/download/9/5/E/95...
Don't mean to wave my hands about NTLM, though I can see how it might seem that way. Just remarking that it is good to actually see the full spec from Microsoft along with so many other things on that site.
I agree it would be great to see it just go away. But I doubt it'll happen. Matter of fact, part of why I zoned in on NTLM is that I'm *once again* staring down implementing it in a security testing project.
Old protocols don't die, they just smell that way.
It doesn't make NTLM go away, it just reduces the number of NTLM transactions that happen - the user still has to use NTLM to get authenticated to the DC in the first place, right?
In principle, that initial NTLM auth could be replaced with something sensible, like a plain old password over an SSL pipe; it just hasn't been.
Seriously though, this is a trojan, if you do commercial interoperability with M$, and getting docs sure opens up a can of worms with lawsuits, and '...a paycheck.' < Master plan ahead, let the suckers eat my legal lead. I won't even download their documents.
The tea tax is long over, but now its the code tax that really sucks.
Interesting how all this postive spin on microsoft is released, 'it made me cry...' GRR, smart people know when to save their jobs, cuts are coming sometime.
When google releases a client OS integrated well with the internet, watch out M$, you been thrown into the bay.
On a positive note, I enjoy your blog and work, sometime good in this crazy business.