[cifs-protocol] RE: How are disabled accounts handled in SNTP

Richard Guthrie rguthrie at microsoft.com
Tue Jun 10 18:52:33 GMT 2008


Andrew,

In response to question 1, 2 & 3 involving the MS-SNTP document, section 3.2.5 specifies the following:

If the server fails to retrieve the cryptographic keys or to compute the crypto-checksum, the server SHOULD<16> fail the authentication and ignore the request without responding.

Note 16 further clarifies the behavior of a couple of flavors of the server operating system as:

<16> Section 3.2.5: Windows NTP servers in Windows 2000, Windows XP, and Windows Server 2003 do not honor the above "SHOULD". Instead, they respond to the request. In Windows 2000, the server responds with a Server NTP Response message without an Authenticator field if authentication fails. In Windows XP and Windows Server 2003, the server responds with a Server NTP Response message that includes an Authenticator field in which the Crypto-Checksum subfield is set to zero.
In Windows Server 2008, in the case of the read-only domain controller (RODC) as the server, if the RODC does not store the cryptographic key locally, the server validates the RID. If the RID identifies a valid object, the server forwards the original Client NTP Request message to its own time source, which must be a writable domain controller. The writable domain controller that has the cryptographic key authenticates the client's request instead. On receiving the response from the writable domain controller, the RODC forwards the response to the client. This process is known as "chaining". If the RID is not identified as a valid object, the server fails the authentication and ignores the request without responding.

In addition you can reference section 3.5.4.7.2 of the MS-NRPC documentation which discusses invalid accounts or accounts that could not be found.  This covers what the response should look like when authentication fails which I think answers question 3 and the behavior when the account is disabled.

Let me know if closes these issues.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, May 30, 2008 8:38 PM
To: Richard Guthrie
Cc: pfif at tridgell.net
Subject: RE: How are disabled accounts handled in SNTP

On Fri, 2008-05-30 at 15:33 -0700, Richard Guthrie wrote:
> Andrew,
>
> I will be working with you on request.  I wanted to summarize your questions so I can accurately respond to them.  I see # issues/clarifications in this email.
>
> 1. What is the correct response from a server responding to SNTP request when the request contains a RID that is disabled?
> 2. What if the account does not have rights to the server it is making an NTP request to?

In particular, what is the behaviour when an account is expired etc.

> 3. When responding to an SNTP request from a client

with a disabled account

> , should the service respond with an MD5 checksum that includes a checksum with the password?
> 4. What object classes are eligible to make a NTP request using this protocol?
> 5. Do windows clients only use the RID returned from the ServerAuthenticate3 NETLOGON call?
>
> Have I captured your request correctly.  Please acknowledge and I will start to work on these issues.

With that amendment, this is a start.  A discussion of the risks of offline password guessing should be included in the security section, mitigated by the answers to my other question.  If you don't understand why this protocol is subject to offline password guessing attacks, then perhaps that needs to be clarified first.

> Richard Guthrie
> Open Protocols Support Team
> Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
> Tel: +1 469 775 7794
> E-mail: rguthrie at microsoft.com
>
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Tuesday, May 27, 2008 1:18 AM
> To: Interoperability Documentation Help
> Cc: pfif at tridgell.net
> Subject: How are disabled accounts handled in SNTP
>
> In MS-SNTP, the RID is used as a key ID.  No indication is given as to what should happen if the account indicated by this RID is disabled, expired or otherwise not permitted to log in.
>
> Should this account password be confirmed by returning an MD5 checksum including this password?  This should be dealt with in the security section, as well as the protocol implementation description.
>
> Also, are all accounts eligible as NTP clients, or only certain objectClasses (such as 'computer')?  (Because of the use of raw keys, and the possibility of an offline attack, this should be restricted as much as possible).
>
> Finally, do windows clients only use the RID returned from the
> ServerAuthenticate3 NETLOGON call?  Could a more secure implementation be derived such that the ID returned by this call is not the RID?  (This would allow offline attacks on the password only after the NetLogon exchange).
>

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.


More information about the cifs-protocol mailing list