NTLMSSP picked up by our Firewall system

Namless Shelter 201 Reputation points
2023-03-06T05:28:22.9233333+00:00

Dear Friends,

Please help,

I noticed our Firewall picked up lots threat traffic with vulnerability "Microsoft Windows NTLMSSP Detection", I thought we already changed everything to Kerberos. Clearly something is still using NTML. Noticed on server side, it only allows NTLMv2. Not sure if that is OK?

Do you know what device local policies I should restrict on Win10 devices so to get rid of the vulnerability?

Thanks a lot,

ML

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,128 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,323 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 31,901 Reputation points
    2023-03-06T11:38:54.6566667+00:00

    @Namless Shelter you can follow this link and I guess you have already implemented the server and domain side settings to disabled NTLM? https://howtofix.guide/ntlm-authentication-deactivate/

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

  2. JimmySalian-2011 31,901 Reputation points
    2023-03-06T11:38:55.9366667+00:00

    @Namless Shelter you can follow this link and I guess you have already implemented the server and domain side settings to disabled NTLM? https://howtofix.guide/ntlm-authentication-deactivate/

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

  3. Limitless Technology 25,831 Reputation points
    2023-03-07T08:33:33.4366667+00:00

    Hello there,

    Windows NT LAN Manager (NTLM) protocol used for Client-Server authentication and NTLM Security Support Provider (NTLMSSP) allows negotiation of challenge-response authentication. NTLM is mostly used for backward compatibility and was replaced by Kerberos. It is considered not secure as it uses outdated cryptography that is vulnerable to several modes of attacks such as brute force and pass-the-hash attacks.

    This is just an informational level signature used to detect when NTLMSSP is used to authenticate and this is not an indication of an attack. The default action is Alert which should not be impacting any production traffic. Significant amount of Alert logs for this particular Threat ID 92322 may be generated if you are using NTLMSSP in your environment, please set an exception with action allow for Threat ID 92322 in the specific Vulnerability Profile attached to the Security Policy .

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–