If you configure Internet Information Server (IIS) to do Windows NT challenge/response instead of basic authentication, it sends the header "WWW-Authenticate: NTLM" when asked for a protected URL. Microsoft Internet Explorer (MSIE) and IIS then perform a security handshake that relays an encrypted password to IIS.
), a rogue server can always send the same challenge, which it can also have used to precompute a large database of possible passwords.
3
The security handshake occurs invisibly to the user. Why? MSIE fi
gures that because you've already logged on to Windows once, there's no need to be prompted again for a name and password. You can automatically pass those credentials to an IIS server, just as you automatically pass them to file servers on your LAN. Of course, the Internet is not your LAN. Paul Ashton summarizes the situation nicely: "Wouldn't you like to see a message: www.foobar.com has requested your NT user name and password. Would you like to send it [YES] [NO] [Don't bother me again]? I know I would."
Microsoft's response? Upgrade to the final shipping version of MSIE 4.0. It carves the world into zones and makes automatic log-on behavior the default for the intranet zone (your local network), but not for the Internet zone (everywhere else).
Flexible C++
Matthew Wilson
My approach to software engineering is far more pragmatic than it
is
theoretical--and no language better exemplifies this than C++.
BYTE Digest editors every month analyze and evaluate the best articles from Information Week, EE Times, Dr. Dobb's Journal, Network Computing, Sys Admin,
and dozens of other CMP publications—bringing
you critical news and information about wireless communication,
computer security, software development, embedded systems,
and more!
NTLM Authentication
