Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OWA and NTLM?

Status
Not open for further replies.
AndrewFram

AndrewFram

MIS
Dec 26, 2007
58
US
It has been suggested that enabling NTLM on the OWA website is a security risk. I've read an article that says OWA can't even use NTLM, but an article on the Microsoft website reported that NTLM was the most secure method.

What affect would there be if I disabled the "Integrated Windows Authentication" checkbox in the "Directory Security" tab of the "Default web site properties" of OWA?

 
Sort by date Sort by votes
>It has been suggested that enabling NTLM on the OWA website is a security risk

By who? And what risk are they referring to? And compared to what?
 
Upvote 0 Downvote
QUALYS returned these results.
The risks were low, but wouldn't NTLM be better security than any of the other options? Anyone can always try a brute force attack...

THREAT:
NTLM authentication is enabled on the Microsoft IIS Web server. This allows a remote user to perform account brute force by requesting a non-existing HTTP
resource or an existing HTTP resource that does not actually require authentication. Requests would include the "Authorization: NTLM" field.
IMPACT:
If the host has an account lockout policy in place, a remote user may exploit this vulnerability to lockout a local user, provided that the name of the local user is
known.
If the host does not have an account lockout policy in place, a remote user may exploit this vulnerability to brute force user passwords.

and:

THREAT:
Microsoft IIS supports Basic and NTLM authentication. It has been reported that the authentication methods supported by a given IIS server can be revealed to an
attacker through the inspection of returned error messages, even when anonymous access is also granted.
When a valid authentication request is submitted (for either method) with an invalid username and password, an error message is returned. This happens even if
anonymous access to the requested resource is allowed.
IMPACT:
If this vulnerability is successfully exploited, a malicious user can learn what authentication method is used. This information can then be used in further intelligent
attacks against the server, or in a brute force password attack against a known user name.
 
Upvote 0 Downvote
>The risks were low

Yep

>wouldn't NTLM be better security than any of the other options?

Yep

>Anyone can always try a brute force attack...

Yep


Looks to me like you've answered your own question ... :)
 
Upvote 0 Downvote
OWA and NTLM means an unlocked PC can be used to access OWA without password. Well, same as Outlook TBH...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
2K
microsGuy16
microsGuy16
ponoodle
  • Locked
  • Question
Disabling OWA for on prem Exchange while in a hybrid envirenment.
Replies
0
Views
1K
ponoodle
ponoodle
david jackson
  • Locked
  • Question
Extract only the subject and recipients from a mailbox
Replies
0
Views
1K
david jackson
david jackson
Rohit Bareja
  • Locked
  • Question
View and access only own records, and not the records by others on SharePoint.
Replies
3
Views
1K
garysm
garysm
lwhalo
  • Locked
  • Question
Domain Admins - Active Sync/OWA question
Replies
1
Views
103
ntinlin
ntinlin

Part and Inventory Search

Sponsor

Back
Top