NTLMSSP picked up by our Firewall system

Namless Shelter 216 Reputation points
2023-03-06T05:28:22.9233333+00:00

Dear Friends,

Please help,

I noticed our Firewall picked up lots threat traffic with vulnerability "Microsoft Windows NTLMSSP Detection", I thought we already changed everything to Kerberos. Clearly something is still using NTML. Noticed on server side, it only allows NTLMv2. Not sure if that is OK?

Do you know what device local policies I should restrict on Win10 devices so to get rid of the vulnerability?

Thanks a lot,

ML

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,723 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,747 questions
0 comments No comments
{count} vote

4 answers

Sort by: Most helpful
  1. Limitless Technology 43,921 Reputation points
    2023-03-07T08:33:33.4366667+00:00

    Hello there,

    Windows NT LAN Manager (NTLM) protocol used for Client-Server authentication and NTLM Security Support Provider (NTLMSSP) allows negotiation of challenge-response authentication. NTLM is mostly used for backward compatibility and was replaced by Kerberos. It is considered not secure as it uses outdated cryptography that is vulnerable to several modes of attacks such as brute force and pass-the-hash attacks.

    This is just an informational level signature used to detect when NTLMSSP is used to authenticate and this is not an indication of an attack. The default action is Alert which should not be impacting any production traffic. Significant amount of Alert logs for this particular Threat ID 92322 may be generated if you are using NTLMSSP in your environment, please set an exception with action allow for Threat ID 92322 in the specific Vulnerability Profile attached to the Security Policy .

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    2 people found this answer helpful.

  2. JimmySalian-2011 41,916 Reputation points
    2023-03-06T11:38:54.6566667+00:00

    @Namless Shelter you can follow this link and I guess you have already implemented the server and domain side settings to disabled NTLM? https://howtofix.guide/ntlm-authentication-deactivate/

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.


  3. JimmySalian-2011 41,916 Reputation points
    2023-03-06T11:38:55.9366667+00:00

    @Namless Shelter you can follow this link and I guess you have already implemented the server and domain side settings to disabled NTLM? https://howtofix.guide/ntlm-authentication-deactivate/

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.


  4. AlexY_72 0 Reputation points
    2023-09-20T17:06:15.7366667+00:00

    Hi everybody,

    I am also facing lots of this alerts from our Firewall.

    Is there a way to troubeshoot if there was a problem when authenticating using Kerberos (server or client side)?

    Since our domain only have 2012 to 2022 win servers and desktops are win 7 to 11, I think if all went good, should not have NTLMSSP authentication for backward compatibility, am I correct?

    Thanks in advance

    Alexandre

    0 comments No comments