While Active Directory is widely used, it has still uses insecure protocols such as NTLM. The important question many people ask is “Does turning off NTLM increase security”?

The answer is “maybe”, or “it depends”, or even “no”. In order to understand these conflicting answers, we have to take a step back, and look at how (and why) NTLM is used.

As an aside, our approach in all of these articles is to understand the issue. It is always best to understand the root cause of any issue. Following a simple security check-list is naive, and rarely increases the security of the system as a whole.

Why use NTLM?

NTLM (or NTLMv2) is used when passwords are stored in Active Directory. For “security” Active Directory refuses to hand out the users password over LDAP. This practice works for User-Password. FreeRADIUS can just do an LDAP “bind as user”, and ask Active Directory to validate the password.

This practice does not work for MS-CHAPv2 (or for PEAP). FreeRADIUS needs to have the clear-text (or NT hash) password in order to do the MS-CHAPv2 calculations. Since Active Directory won’t give the users password to FreeRADIUS, how does the MS-CHAPv2 blob get verified?

The answer is NTLM. NTLM allows FreeRADIUS to hand the MS-CHAPv2 data to Active Directory (via Samba). Active Directory validates the input, and returns more opaque blobs to FreeRADIUS for use in MS-CHAPv2. FreeRADIUS then returns the authentication results to the NAS, and then to the user.

While Samba also uses NTLM, it provides the sambaNTPassword attribute to FreeRADIUS over a normal LDAP connection. So if you are using Samba (and only Samba), then you should not use NTLM. However, if you are using Samba to connect to Active Directory, than you have to use NTLM.

Is NTLM Secure?

No.

NTLM is not secure. The protocol was designed in 1993, and has no effective security. Anyone who can see the NTLM traffic can run a password cracker on the MS-CHAPv2 hashes, and get the users clear-text password.

There are many, many, articles on the net explaining NTLM security issues. We don’t get into them here, but rest assured, NTLM is insecure.

Should I use NTLM?

You probably don’t have a choice. Which means you’re forced to use it. When all passwords are in Active Directory, and user authentication is done via MS-CHAPv2 (or PEAP/MS-CHAPv2), then you must use NTLM.

For any other situation, we recommend avoiding NTLM. Microsofts’ choice of “securing” the network by not providing the password to FreeRADIUS actually decreases security. As we saw in the Is PAP Secure article, the most vulnerable part of your network is your database, because the passwords must be stored there in clear text. Any attacker who gets into the database will see everyones passwords. So password should be stored in the database in a secure manner (not clear-text, and not NT password hash).

Does turning off NTLM increase security?

Maybe. If you’re not using Active Directory or MS-CHAPv2, then you should never use NTLM. Disabling NTLM will definitely increase security.

If you are using MS-CHAPv2 and Active Directory, then turning off NTLM will also increase security, because no one will be able to get on the network.

This last point is missed by the naive “security checklist” approach. Some people forbid the use of clear-text passwords because “passwords are sent unencrypted over the network”, really, they’re not. The same people then see that NTLM is insecure, and also forbid the use of NTLM. They think that a simple checklist of “don’t use NTLM” will help secure their network.

The end result is that their network is perfectly secure, because no one will be able to get network access. We suspect that this result is not what most people want out of “secure network access”.

How do I make NTLM secure?

The simplest approach is “don’t use NTLM unless you need it”. A slightly better approach is to switch away from PEAP/MS-CHAPv2 to TTLS/PAP. As noted above, it is possible to avoid NTLM entirely, even when using Active Directory, if FreeRADIUS has the clear-text password.

If neither of those approaches work, then you are stuck with using NTLM. In order to secure it, you must secure the network which NTLM uses. Ensure that nothing else (and no one else) is using the same network which FreeRADIUS and Samba use to talk to Active Directory. Put the machines into a separate VLAN, with private IP addresses that are not used anywhere else.

Dedicate one Active Directory server to FreeRADIUS. It is possible to lock down NTLM for only one server. Then, ensure that this Active Directory server has only one client (Samba / FreeRADIUS).

We also recommend reading this article on NTLM security. It has some good advice on “locking down” NTLM to be as secure as possible. if you’re using MS-CHAP then you can’t turn off NTLM entirely, but you can make it more secure than the default configuration.

After following the above advice, the resulting configuration will have maximum possible security, while still allowing network access. Because no one wants a “secure” network which is impossible to access.

Need more help?

Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.