Share via

Domain security

Andreas 1,331 Reputation points
2023-01-05T19:11:22.58+00:00

Hi,

We have had external parties do a security check, and they have provided us with a report over things we need to investigate. I haven`t asked the external parties about this (will not go into that), but wondering about something.
Below are 3 problems that they have found, what I am wondering about is some of the related to “The LSASS processes are not protected” or “Disable NTLMv1”. The reason for asking this is that for another customer we had another external parti check the system, and they recommended also the LSASS and NTLMv1 thing. Now this external parti have not said anything about that in the report, so I was wondering if problem1/2/3 are related to LSASS or NTLMv1 ?

Problem1: Missing SMB signing
Fix: push SMB signing with GPO

Problem2: LLMNR and NBT-NS Enabled
Fix: Disabling LLMNR can be done via GPO

Problem3: Cached credentials
Fix: It is recommended to implement a Group Policy Object (GPO) that disables the caching of domain credentials where offline logon with domain users is not necessary

Thanks for any comment

/R
Andy

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments
Accepted answer
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2023-01-05T23:53:00.66+00:00

    Hi,

    so I was wondering if problem1/2/3 are related to LSASS or NTLMv1 ?

    My answer is no, there is no relation between LSASS or NTLMv1 and problem 1/2/3.

    NTLMv1 is authentication protocol and it should be disabled.
    LSASS protection is recommended and I invite you to read the link below to get more details:

    configuring-additional-lsa-protection

    SMB signing is a feature used to secure SMB protocol ( share and data access)
    LLMNR and NBT-NS: are Microsoft Windows components that serve as alternate methods of host identification.and it's recommended to disable them
    Cached credentials : is a feature which let the user keeping his credential in the cache to be able to logon on disconnected computer

    Please don't forget to mark helpful reply as answer

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.