RE: OWA, basic authentication, and Windows NT Challenge and Response NTLM

["LordInfidel" <LordInfidel () directionweb com>]

Basically, no (non IT) user is going to check the cert to make sure it is valid, and really, most users do not know 
what to look for.  If you are using a self-signed cert, and the end user does not have the root ca cert installed on 
their machine, they will always get the cert splash screen.  Your job is to make sure they never get that screen and to 
contact you if they do.

To combat that, you would simply need to install the Root CA cert that signed your OWA site's cert.  If you did a 
self-signed cert using the built in microsoft CA, it is a little more difficult to retrieve the CA cert.  On the 
machine that you installed the MS CA on, you will need to open up the local cert store via a mmc console, navigate to 
the trusted root store, and export the CA cert into .der format.  

You then take that file, and on the users machine, double click on it and install it, let windows automatically select 
the store.  Now by having the trusted root ca cert, the x509 chain is complete and barring any exprired certs or 
hostname mismatch, the end user should not get a warning.   Personally, i prefer a linux based CA using OpenSSL.  It's 
not as dumbed down as a MS CA, but it forces you to understand the cert process and is a little more flexible.

If after all of that, and they do get a warning, then it is due to a man-in-the-middle attack and they should not put 
in their creditionals. 

On the note of creditionals, if this is exchange 2003, use the forms based login.  It is 1000% more secure then NTLM or 
basic.  Since A: it forces you to use SSL, and B: creditionals are not cached on the end users machine.

The whole purpose of OWA is so that your end users do not need to use IPSec.

Hope that helped,

LordInfidel

 

-----Original Message-----
From: bret.lugo () gmail com [mailto:bret.lugo () gmail com <mailto:bret.lugo () gmail com> ] 
Sent: Wednesday, March 15, 2006 8:22 PM
To: security-basics () securityfocus com
Subject: OWA, basic authentication, and Windows NT Challenge and Response NTLM

If a user uses Outlook Web Acess over https on a untrusted network such as a wifi hotspot or a airport and does not 
check the certificate to make sure its valid would it be possible for someone to use a program proxy such as paros to 
see there user name and password if basic authentication is used on the OWA server?

Would using Windows NT Challenge and Response NTLM not allow this to happen?

Also what would be the best defense against this sort of attack if your users do not check for valid certificates when 
using untrusted networks?

Maybe make them IPsec VPN in before they can access OWA?

Thanks for the help

 

---------------------------------------------------------------------------

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec 
management education and the case study affords you unmatched consulting experience. 

Tailor your education to your own professional goals with degree customizations including Emergency Management, 
Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus <http://www.msia.norwich.edu/secfocus> 

---------------------------------------------------------------------------

 

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------