In unit 2, we touched on Authorization. You can access specific objects or perform certain tasks based on your identity. Within the Windows NTFS filesystem, authorization is controlled via:

• Group Policy Objects
• User Rights Assignment
• Object-level Allow/Deny ACLs

Authentication is the process of verifying your identity.

• It’s important to note that Authentication is a complex topic, especially regarding the SY0-701 (Security+) exam. We’ll explore it extensively this year. A malicious user's first goal is often to bypass or compromise authentication if it hasn’t already been granted.
  • For this reason, many frameworks and processes have been established to verify user or device identity before any authorization checks are performed.
• In this unit, we will focus on a small but essential subset of commonly used authentication processes:
  • NTLM-based authentication
  • Kerberos-based authentication
• It’s essential to be comfortable with both NTLM and Kerberos authentication, including how and when they are used, as you prepare for the SY0-701 (Security+) exam.

We’ll use the Active Directory environment (including your Kali Linux machine) from Unit 2 as we begin this unit. Go ahead and power up:

• Windows Server
• Windows 11 Client
• Kali Linux

NTLM Authentication as a Fallback Mechanism to Kerberos

In the realm of Windows authentication protocols, Kerberos is the preferred method due to its robust security and efficiency. However, there are scenarios where Kerberos may not be applicable or available. In such cases, NTLM (NT LAN Manager) is the fallback authentication mechanism. Understanding NTLM is crucial because:

• NTLM is used when:
  • The client authenticates to a server that is not part of a domain.
  • The client and server are in different domains and have no trust relationship.
  • There are issues with the Kerberos protocol or its implementation.

Kerberos leverages tickets and a trusted third party (the Key Distribution Center: KDC) to validate user identities securely.

• The KDC (Key Distribution Center) within Active Directory environments is the Domain Controller. (Windows Server)

NTLM relies on a challenge-response mechanism. This mechanism, though older and less secure than Kerberos, ensures that authentication can still occur even in less-than-ideal conditions.

In this section, we will explore how NTLM authentication works, its use cases, and why it remains an essential component of the Windows authentication suite despite the advent of more advanced protocols like Kerberos. You’ll find that in many penetration testing challenges, you are required to force an Active Directory environment to fall back to NTLM authentication to compromise user credentials.