RE: NTLM Authenthication,

["McCarty, Eric C." <emccarty () er ucsd edu>]

This is a pretty common method for access control. Using integrated
authentication such as active directory you can avoid maintaining
multiple user account databases. In addition you can reduce
administrative overhead by assigning access based of accounts you are
already familiar with.

I imagine there is some type of persistent token that the user receives
such as a session ID that would keep the App from re-applying
authentication logic to each page. For example you create groups within
the application that you add NT Users to, (Admins, Power Users, Users,
etc.) that dictate level of access within the application. Once
authenticated the app provides some token to keep this access persistent
within the application.

It would only be traffic intensive if it re-authenticated every page,
this would be slower, yes, but not significantly unless it was a heavy
usage application with slow DC's. 

Eric McCarty
CISSP, CISA, Security+, MCSE ....


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of IRM
Sent: Wednesday, February 28, 2007 4:58 AM
To: webappsec () securityfocus com
Subject: NTLM Authenthication,

Dear all,

On my Web Pen test, I have seen one application that relies on the NTLM
Auth for the authorization. The thing is I have seen many people rely on
the NTLM Authentication to segregate access at the file level but not at
the business logic level. 

So yesterday, I have seen one application that uses NTLM authorization
to segregate user access at the business logic layer.

What I mean by that is that instead of using cookies and session ID, 
Say that test.ASP has menu A, B and C.

User X can access Menu A, B and C on and the test.ASP
And 
User Y can access Menu A, B on the test.ASP by using NTLM Authentication
for the authorization.

I would have thought that this provides more secure environment compared
to the form authentication by cookies, etc. As for accessing the pages
it will do challenge response thingy...  However, I think the down side
for this app is that it will be traffic intensive and it is not good
design for traffic intensive application especially when the bandwidth
is an issue.

Any Thought About this particular design?


------------------------------------------------------------------------
-
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have
seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHe
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHe
--------------------------------------------------------------------------