This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 87%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Dear Friends,
Please help,
I noticed our Firewall picked up lots threat traffic with vulnerability "Microsoft Windows NTLMSSP Detection", I thought we already changed everything to Kerberos. Clearly something is still using NTML. Noticed on server side, it only allows NTLMv2. Not sure if that is OK?
Do you know what device local policies I should restrict on Win10 devices so to get rid of the vulnerability?
Thanks a lot,
ML
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
Windows NT LAN Manager (NTLM) protocol used for Client-Server authentication and NTLM Security Support Provider (NTLMSSP) allows negotiation of challenge-response authentication. NTLM is mostly used for backward compatibility and was replaced by Kerberos. It is considered not secure as it uses outdated cryptography that is vulnerable to several modes of attacks such as brute force and pass-the-hash attacks.
This is just an informational level signature used to detect when NTLMSSP is used to authenticate and this is not an indication of an attack. The default action is Alert which should not be impacting any production traffic. Significant amount of Alert logs for this particular Threat ID 92322 may be generated if you are using NTLMSSP in your environment, please set an exception with action allow for Threat ID 92322 in the specific Vulnerability Profile attached to the Security Policy .
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer–
So looks like this is only the information, not really a risk, so we can add it as exception on Palo Alto system, is that right?
Thanks
ML
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Great reply!
@Namless Shelter you can follow this link and I guess you have already implemented the server and domain side settings to disabled NTLM? https://howtofix.guide/ntlm-authentication-deactivate/
Hope this helps.
JS
==
Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.
that is correct. Seems like they are all from laptops...
@Namless Shelter you can follow this link and I guess you have already implemented the server and domain side settings to disabled NTLM? https://howtofix.guide/ntlm-authentication-deactivate/
Hope this helps.
JS
==
Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.
Hi Marshaljs,
I tried lots Network security polices: disabled, still no good. Except the one got pushed from Group policy "Network Security: LAN manager Auth level: NTLM v2 only". Would it be related to this still? What would be the reason why we still use NTLM v2?
Thanks
ML
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 98%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi everybody,
I am also facing lots of this alerts from our Firewall.
Is there a way to troubeshoot if there was a problem when authenticating using Kerberos (server or client side)?
Since our domain only have 2012 to 2022 win servers and desktops are win 7 to 11, I think if all went good, should not have NTLMSSP authentication for backward compatibility, am I correct?
Thanks in advance
Alexandre