Forum Discussion

David McAllister's avatar
David McAllister
Copper Contributor
Oct 11, 2018

ATA service account seen using NTLMv1

Hi All,

 

Were in the process of trying to disable NTLMv1 in our domain. To that end I have enabled NTLM logging on the domain controllers. Specifically we've set:

 

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Set "Audit NTLM authentication in this domain" to enabled for all domain controllers to have visibility of where NTLM might be being used. 

 

As a result of that Im seeing NTLMv1 audit events that appear to be generated by ATA as they use the ATA service account. For example (names removed for privacy):

 

 

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: *Win 10 Client Computer Name*
User name: *ATA Service Account*
Domain name: *Our Domain"
Workstation name: *Domain Controller*
Secure Channel type: 2

Audit NTLM authentication requests within the domain kclad.ds.kcl.ac.uk that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

 

 

Can anyone shed some light on why ATA would be doing this and how we can force it to use NTLMv2?

 

 

Regards

David

  • When building the lateral movement graph the Gateways will issue a SAMR request to the endpoint IPs to check local admins members. This will fallback to NTLM as you can't authenticate using kerberos to an IP endpoint.

    We are using negotiate, so if it falls down all the way to NTLMv1 most likely it's a policy defenition you have that causes that...

    • David McAllister's avatar
      David McAllister
      Copper Contributor

      Thanks Eli,

       

      Ive had a look and confirmed the Domain controller policy "Network security: LAN Manager authentication level" is set to 4 ie 

      • Send NTLMv2 responses only. Refuse LM

      The workstation endpoint is set to 5 

      • Send NTLMv2 responses only. Refuse LM & NTLM

       

      Its interesting that when I look at the security logs on the endpoint the corresponding log does not look like its using NTLMv1:

       

      Workstation
      An account was successfully logged on.

      Subject:
      Security ID: NULL SID
      Account Name: -
      Account Domain: -
      Logon ID: 0x0

      Logon Information:
      Logon Type: 3
      Restricted Admin Mode: -
      Virtual Account: No
      Elevated Token: No

      Impersonation Level: Impersonation

      New Logon:
      Security ID: DOMAIN\atasvc
      Account Name: atasvc
      Account Domain: DOMAIN
      Logon ID: 0x2DE00E59
      Linked Logon ID: 0x0
      Network Account Name: -
      Network Account Domain: -
      Logon GUID: {00000000-0000-0000-0000-000000000000}

      Process Information:
      Process ID: 0x0
      Process Name: -

      Network Information:
      Workstation Name: DOMAINCONTROLLER04
      Source Network Address: 137.1.1.6
      Source Port: 65141

      Detailed Authentication Information:
      Logon Process: NtLmSsp
      Authentication Package: NTLM
      Transited Services: -
      Package Name (NTLM only): NTLM V2
      Key Length: 128

      This event is generated when a logon session is created. It is generated on the computer that was accessed.

       

       

      And heres the corresponding Domain Controller Log:


      Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
      Secure Channel name: WORKSTATION
      User name: atasvc
      Domain name: fqdn.domain.com
      Workstation name: DOMAINCONTROLLER04
      Secure Channel type: 2

      Audit NTLM authentication requests within the domain fqdn.domain.com that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

      If you want to allow NTLM authentication requests in the domain fqdn.domain.com, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

      If you want to allow NTLM authentication requests to specific servers in the domain fqdn.domain.com, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain fqdn.domain.com to which clients are allowed to use NTLM authentication.

       

       

      Seeing as the Domain controller is initiating the connection to the endpoint and that configured to send NTLMv2 only, and the endpoint is explicitly refusing NTLMv1 I cant think why Im seeing this NTLMv1 logs 

       

      Regards

      David

       

Resources