SOLVED: What is NTLMssp, NTLM, NTLM2, DCOM and SSPI?

What is NTLMssp?

NTLMSSP is the acronym for (Windows) NT LAN Manager Security Support Provider. It facilitates the secure communication of passwords and other Active Directory elements.

Because the client computer converts user passwords into an encrypted hash (long string of superficially random text) and transmits only the hash to the an Active Directory server, the clients password is very safe.

With NTLM, the client’s identity is represented by a domain name, user name, and a password or token. When a server calls CoQueryClientBlanket, the client’s domain name and user name are returned. However, when a server calls CoImpersonateClient, the client’s token is returned. If there is no trust relationship between client and server and if the server has a local account with the same name and password as the client, that account will be used to represent the client.

learn.microsoft.com/en-us/windows/win32/com/ntlmssp

What is SSPI?

SSPI is the acronym for (Microsoft) Security Support Provide Interface and is available to on all versions of DCOM.

What is DCOM?

DCOM is the acronym for Distributed Component Object Model which is a Microsoft proprietary software component that allows software on different computers to easily communicate with each other.

What is NTLM?

NTLM is the acronym for Windows NT LAN Manager. NTLM is:

  • a group of Microsoft proprietary security related protocols
  • originally developed in 1993
  • with DES encryption
  • using a challenge-response mechanism to verify the requestor

Windows NT changed the course of computer history because it blocked software from “talking” directly to the hardware, which made computer much more stable. We have a quick history of Windows NT available for you HERE.

NTLM’s encryption is not very strong and can be cracked in just a few hours with a modern computer, but it is radically better than sending plain text transmissions.

What is NTLM2?

NTLM2 simply adds a time stamp to communications and servers will only accept communication from very recent transmissions. This stops a hacker from reusing your network traffic in the future.

For instance, say you requested a password change at 8:32am and a hacker was collecting all of your network traffic at that time. While the hacker could easily:

  1. review that traffic a day or two later,
  2. figure out that your desktop PC made the request to change passwords,
  3. re-inject the same network packets into your network

your servers would ignor it because the communication is stale dated.


Published by
Ian Matthews

This website uses cookies.