Is Classic/NTLM based authentication a security riskfor Internet facing sites?
https://sharepoint.stackexchange.com//questions/28491
-
07-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
I have created web application/site collection using SharePoint 2010 with a few pages, document collection and a forum. I don't want it to have anonymous access, so I have set it up to use Classic authentication and NTLM. So far everything is working fine. When a user wants to join, I simply create a new user in AD and everything is well. I thought that the OTB classic login solution provided by MS would be a secure solution. However, while discussing the idea with a friend, they said this is a huge security risk.
Is classic authentication/NTLM not recommended for internet sites?
Solución
Your choices of autentication are Classic/NTLM, Classic/Kerberos, Claims/NTLM and Claims/Kerberos. Basically your questions are: Classic or Claims, and NTLM or Kerberos.
Both questions cover somewhat different concepts and have different implications, although related. There are vast amounts of documentation on both. Here's a short primer on all of this (and possibly not all completely accurate, this is not my main expertise).
Classic vs Claims relates more to capabilities than to security:
Classic mode is the "old" authentication mode. Think username/password exchange.
Claims mode is the new framework currently used (or being implemented) in all new Windows based products. Think of a Claim as a distributed system for providing facts about a person, such as group membership, eye color, anything. It fully supports basic (username/password) authentication, plus a bunch of other things.
NTLM vs Kerberos relates to security, and a bit on capabilities:
Kerberos is an authentication protocol that has been around for decades, is an open standard, and has long been the de-facto standard on anything non-Windows. It uses token exchange with a shared authentication provider for identity validation. In a Kerberos authentication, you send your credentials and get a ticket to access your desired service (e.g. SharePoint). You then use that time-stamped, temporary ticket to speak to the service. The ticket has been stamped by the Domain Controller common to both you and the SharePoint server, so SharePoint knows it's valid.
NTLM is a Microsoft proprietary authentication protocol that does not involve a third party key provider. You directly exchange a hashed (encrypted) message containing your credentials, and they get passed to the Domain Controller.
So to recap:
Classic/NTLM - You send your (encrypted) username/password to SharePoint. It validates it and grants you access.
Classic/Kerberos - you send your username/password, but not directly to the SharePoint server. You send it (in this case) to the shared Domain Controller, which confirms it, gives you a ticket, and you bring this ticket to SharePoint. SharePoint decrypts it using it's own password.
Claims/NTLM - You can send your username/password to authenticate. SharePoint upgrades it to a Claim, confirms it with the Domain Controller. You can use other Claims providers.
Claims/Kerberos - You can use Claims, and you get authenticated by a secure ticket.
Kerberos is more secure because it uses stronger encryption. NTLM is vulnerable to interception and a bit susceptible to brute-force attacks. Kerberos also consumes less bandwidth because in general requires less roundtrip to the Domain Controller. Kerberos tickets, because of their nature as stamped by a common Key provider (the DC), also support identity delegation. That is, if you want your users to access back-end servers through SharePoint and you need to pass their credentials over, only Kerberos will let you do that.
There are other subtle differences: Kerberos require that both user and server have access to the Domain Controller. If you are not part of the Windows Domain (as is the case for Internet users), you cannot use Kerberos. You can still configure your SharePoint server to use Kerberos, but users not on a machine in the same domain will fall back to NTLM.
If you want to use Form-based authentication in SP2010, you need to use Claims (because in SP2010 anything that is not AD now goes through Claims). Using Claims will also allow you to (with the help of 3rd party products) to authenticate your users through Facebook, Google, Live ID, etc.
In your case, even though you are adding your users to your AD, they do not have access to your domain controller so Kerberos will not be possible for them. NTLM is a bit weaker than Kerberos, but not "a huge security risk". It is still widely used.
You should use Claims over Classic. It will offer more possibilities down the line.
** Edit **
Re-reading this answer over 2 years later, I realized I have side-stepped an important point. Kerberos and NTLM are authentication mechanisms, and as I said Kerberos is not an option on the public internet. Kerberos is more secure because passwords are never sent over the wire (only hashes).
The friend from the question probably meant that using SSL is better. SSL is an encryption protocol, that is somewhat related to authentication but not directly (you pass credentials to set up the encrypted channel, but it is used to establish trust, not identity as such). If you are on the internet, I sure hope you are using SSL and I had assumed so originally (but it looks less clear now..). Otherwise any middle-man can eavesdrop on your conversation.
Otros consejos
Using NTLM over the Internet isn't desirable due to the potential of proxy servers not being able to handle NTLM authentication, but unless you're communicating with NTLMv1, generally you should be fine. If you're doing it over SSL, then you should absolutely be fine with NTLM.
NTLM is less secure than Kerberos, however.
