Forum Discussion
Detail on Network Name Resolution
Microsoftuser409
None of our NNR methods is relying on any auth whatsoever, so what you are seeing cannot be NNR.
My best guess is that you see SAMR calls over SMB, which are used to remotely detect local group membership on endpoints for lateral movement detection.
For this the sensor will call windows API to perform the query against the name of the machine.
This feature is locked for nego by windows and sadly cannot be "locked" to kerberos only.
So yes, in case where for some reason the kerberos method will fail, it will fallback to NTLM.
Options:
1. check why nego falls to NTLM (bad machine config ?)
2. Lock down NTLM - so NTLM will fail. in which case the query will fail, no detection, but no risk of NTLM usage.
3. disable this detection completely, which means those calls won't happen any more, but you lose this type of detection (need to call support for that).
Hey,
apologies I didn't respond earlier - thanks for the detailed description.
Can you comment on the Documentation stating that "No Authentication is performed on any of the ports"? (https://learn.microsoft.com/en-us/defender-for-identity/nnr-policy)
This would contradict the process as you outlined it. Maybe this should be cleared up in docs?Edit: re-read your answer, I think the issue here is that we were talking about different things. NNR = no auth. SAMR lookup = with auth.
Thanks again!
