Should I Keep the NTLM Token in the HTTP Authorization Header a Secret?

This article explores the importance of keeping the NTLM token in the HTTP Authorization header a secret, especially when troubleshooting issues with vendors. It discusses the vulnerabilities of NTLMv1 and the importance of using NTLMv2. It also provides guidance on when to remove the authorization header.

Answer

Yes, you should remove the authorization header unless you are absolutely certain that NTLMv2 was being used.

NTLMv1 is very weak; somebody could easily brute force the password of your user, and then impersonating him or her. With NTLMv2 that is not possible.

Either version of NTLM authenticates the TCP connection with a random challenge/response, so there is no real danger of an attacker possibly reusing the token for impersonation.

Unfortunately, it is not possible to determine which NTLM version was used by looking at the token alone. You really need to check the NTLM security settings for both the client and the server at the time the TCP connection was established. If you cannot do that, remove the authorization header.

Leave a Reply

Your email address will not be published. Required fields are marked *