Man-in-the-Middle Attacks

Intruders who can intercept communications between NT workstations and servers are potentially in the position to discover information. Even worse, they can attempt to compromise user accounts by capturing and then using the authentication exchange to recover the password. As we explained earlier, NT does not use cleartext passwords and thwarts replay attacks by using a random nonce, and as a rule, NT isn't vulnerable to man-in-the-middle attacks. However, intruders could learn user passwords in some special circumstances. Pure NT authentication--that is, authentication between only NT workstations and servers--uses case-sensitive passwords, making brute-force attacks difficult. However, when NT Server must accommodate Windows 3.1, Windows for Workgroups, and Windows 95 clients, it also deploys LAN Manager authentication as we explained earlier. In such cases, NT accepts passwords without regard to case, reducing the number of dictionary and brute-force possibilities an intruder must try. Moreover, the specific encryption technique used for LAN Manager authentication makes guessing such passwords even easier, especially if the password is 7 or fewer characters in length. Therefore, Windows 3.1, Windows for Workgroups, and Windows 95 users who must authenticate across public communication facilities like the Internet run an increased risk of having their accounts compromised. Microsoft acknowledges the shortcomings of LAN Manager authentication and has specific advice for its customers. First, the company tells customers that the strongest possible security is possible only in all-NT environment. Customers who place a high premium on security should install only NT Server and NT Workstation. We made that same observation in the Network Strategy Report "Windows NT Workstation and Windows 95." In an all-NT network, customers can disable LAN Manager authentication on both servers and clients, thereby preventing intruders from using this loophole.