When users log in to a Windows computer, they must perform several steps to authenticate themselves. The Windows OS authenticates its users using three mechanisms (protocols) provided by Microsoft.
Security Accounts Manager (SAM) Database
Windows manages user accounts and passwords in a hashed format (a one-way
hash) using the Security Accounts Manager (SAM) database or Active Directory
database in domains. The SAM file has an exclusive filesystem lock that is
obtained and maintained by the Windows kernel. A user cannot move or copy the
SAM file while Windows is running because the system locks it. The lock does
not release until the OS shuts down or the system throws a blue screen
exception.
The SAM file is stored at %SystemRoot%/system32/config/SAM in
Windows systems. and Windows mounts it in the registry under the
HKLM/SAM registry hive. It stores LM or NTLM hashed passwords.
NTLM Authentication
The default authentication method, NT LAN Manager (NTLM), uses a
challenge/response approach to authenticate users. The LAN Manager (LM)
authentication protocol and the NTLM authentication protocol make up NTLM
authentication. These protocols save user passwords in the SAM database using
various hashing techniques. An authentication protocol is negotiated between the client and server in
NTLM authentication. The Security Support Provider (SSP) established with
Microsoft is used to achieve this:
- The client types the username and password into the login screen.
- Windows runs the password through a hash algorithm and generates a hash.
- The client computer sends a login request along with a domain name to the domain controller.
- The domain controller generates a 16-byte random character string called a "nonce," which it sends to the client computer.
- The client computer encrypts the nonce with a hash of the user password and sends it back to the domain controller.
- The domain controller retrieves the hash of the user password from the SAm and uses it to encrypt the nonce. Then, it compares the encrypted value with the value received from the client. If the value matches, the client is authenticated, and the login is successful.
Kerberos Authentication
In place of NTLM, Microsoft's default authentication protocol is now
Kerberos, which offers more robust authentication for client/server
applications.
Kerberos is a network authentication system that uses secret-key
cryptography to give client/server applications robust authentication. The
user and the server both confirm each other's identities. Messages sent
through this protocol are protected against replay attacks and
eavesdropping.
The Key Distribution Centre (KDC), a reliable third party, is used by
Kerberos. An authentication server (AS) and a ticket-granting server (TGS)
are two logically separate components.
We hope this helps. If you have any suggestions or doubts you can add a
comment and we will reply as soon as possible.
No comments:
Post a Comment