Insecure authentication method - NTLM
Need
Secure authentication method using modern protocols
Context
- Usage of C# for building robust and scalable applications
- Usage of Microsoft.AspNetCore.Authentication for implementing authentication in ASP.NET Core applications
- Usage of Microsoft.AspNetCore.Server.IISIntegration for hosting ASP.NET Core applications on IIS server
Description
Non compliant code
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(IISDefaults.AuthenticationScheme);
}
In the above code snippet, the application is configured to use Windows Authentication which includes the NTLM authentication scheme. This is done in the ConfigureServices method of the Startup class in ASP.NET Core application.
The AddAuthentication method is called with IISDefaults.AuthenticationScheme which sets the default authentication scheme for the application to Windows Authentication. Windows Authentication includes several protocols, among them is NTLM.
NTLM (NT LAN Manager) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product.
However, NTLM is considered insecure due to several vulnerabilities that can be exploited by attackers. These include Relay attacks, Man in the Middle (MitM) attacks, and brute force attacks to obtain valid challenge results.
In a Relay attack, an attacker can intercept the NTLM messages during an attempt to authenticate a client to a server, and then use the intercepted messages to authenticate the attacker to a third-party server as the client.
In a MitM attack, an attacker can intercept and possibly alter the communication between a client and a server.
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN).
Therefore, using NTLM authentication in the application makes it vulnerable to these types of attacks.
Steps
- Replace the use of NTLM authentication with a more secure authentication method, such as Kerberos or OAuth.
- Configure the application to use the chosen secure authentication method.
- Ensure that the chosen authentication method is properly implemented and follows best practices.
- Consider implementing additional security measures, such as multi-factor authentication, to further enhance the security of the authentication process.
- Regularly update and patch the authentication system to address any newly discovered vulnerabilities.
Compliant code
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication()
.AddOAuth(options =>
{
options.ClientId = Configuration["OAuth:ClientId"];
options.ClientSecret = Configuration["OAuth:ClientSecret"];
options.CallbackPath = new PathString("/signin-oauth");
options.AuthorizationEndpoint = Configuration["OAuth:AuthorizationEndpoint"];
options.TokenEndpoint = Configuration["OAuth:TokenEndpoint"];
});
}
The above code replaces the insecure NTLM authentication method with a more secure OAuth authentication method.
In the ConfigureServices method, the AddAuthentication method is called without any parameters, which means that the default authentication scheme is used. Then, the AddOAuth method is added to the authentication services. This method configures the OAuth authentication scheme with the necessary options.
The ClientId and ClientSecret are the credentials that the application uses to authenticate itself with the OAuth provider. These values should be stored securely in the application's configuration and not be exposed in the code or to the users of the application.
The CallbackPath is the path in the application where the OAuth provider redirects the user after they have authenticated. This path should handle the OAuth authentication response and sign the user in to the application.
The AuthorizationEndpoint and TokenEndpoint are the URLs of the OAuth provider where the application sends the user to authenticate and where it requests access tokens, respectively. These values are specific to the OAuth provider and should be documented in the provider's OAuth implementation guide.
This change enhances the security of the application by using a modern and secure authentication method. It also allows for additional security measures, such as multi-factor authentication, to be easily added if the OAuth provider supports them.
Remember to regularly update and patch the authentication system to address any newly discovered vulnerabilities.