Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OWA and NTLM?

Status
Not open for further replies.
Dec 26, 2007
58
US
It has been suggested that enabling NTLM on the OWA website is a security risk. I've read an article that says OWA can't even use NTLM, but an article on the Microsoft website reported that NTLM was the most secure method.

What affect would there be if I disabled the "Integrated Windows Authentication" checkbox in the "Directory Security" tab of the "Default web site properties" of OWA?

 
>It has been suggested that enabling NTLM on the OWA website is a security risk

By who? And what risk are they referring to? And compared to what?
 
QUALYS returned these results.
The risks were low, but wouldn't NTLM be better security than any of the other options? Anyone can always try a brute force attack...

THREAT:
NTLM authentication is enabled on the Microsoft IIS Web server. This allows a remote user to perform account brute force by requesting a non-existing HTTP
resource or an existing HTTP resource that does not actually require authentication. Requests would include the "Authorization: NTLM" field.
IMPACT:
If the host has an account lockout policy in place, a remote user may exploit this vulnerability to lockout a local user, provided that the name of the local user is
known.
If the host does not have an account lockout policy in place, a remote user may exploit this vulnerability to brute force user passwords.

and:

THREAT:
Microsoft IIS supports Basic and NTLM authentication. It has been reported that the authentication methods supported by a given IIS server can be revealed to an
attacker through the inspection of returned error messages, even when anonymous access is also granted.
When a valid authentication request is submitted (for either method) with an invalid username and password, an error message is returned. This happens even if
anonymous access to the requested resource is allowed.
IMPACT:
If this vulnerability is successfully exploited, a malicious user can learn what authentication method is used. This information can then be used in further intelligent
attacks against the server, or in a brute force password attack against a known user name.
 
>The risks were low

Yep

>wouldn't NTLM be better security than any of the other options?

Yep

>Anyone can always try a brute force attack...

Yep


Looks to me like you've answered your own question ... :)
 
OWA and NTLM means an unlocked PC can be used to access OWA without password. Well, same as Outlook TBH...
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top