NTLM over RDP

Question

I am implementing large ATP solutions and one question that came up is NTL over RDP? Why is this specifically needed for ATP?&nbsp;Thanks&nbsp;

eliofek · Answer

jbchris&nbsp;, It's not actually doing a full NTLM RDP session.
it only sends the first payload as a matter of name resolution.
This is one of the methods we use to resolve an IP to a machine name...When we send the first payload, the target machine sends back interesting info on its&nbsp; identity, then we break the connection.
&nbsp;
Few other customers also mistakenly thought AATP actually opens an RDP session or authenticating via NTLM over&nbsp; RDP, but it is not...

jbchris · Answer

EliOfekThanks, Eli,&nbsp;What are the implications are the customer does not want to open that port on the firewall? Are there other ways to connect to the ATP endpoint besides using the internet? Maybe VPN?&nbsp; &nbsp;

eliofek · Answer

jbchris&nbsp;, Not sure I follow.
This connection is initiated from the sensor (usually installed on the DC) to the endpoint in the network that contacted the DC. in most cases Internet is not involved...&nbsp;In rare cases where the DC is opened to the internet (usually a bad idea) , then if a machine from the internet tried to contact the DC, we will try to "ping" it back via several methods to collect info about it.
&nbsp;
Now, In case the customer blocked RDP ports on all the endpoints in the network, the sensor will still work, but might get hit to some degree in resolution success which my impact detection and false positives. How much? it depends on how well the other methods we use work well in your network...we use several as we are aware that networks can be different, and also endpoints, so when we have several ways, we increase the chances of&nbsp; getting a successful&nbsp; resolution.
&nbsp;

jbchris · Answer

EliOfek&nbsp;Let me see if I can ask the question a better way: (Forgive me if I am missing something)The customer domain is behind a firewall. ATP is in the cloud. The ATP Agents, either DC's or Standalone, need to communicate with ATP in the cloud.&nbsp;&nbsp;How do the event and logs get to the ATP cloud service to analysis?&nbsp; Azure AD Connect? Is there documentation that explains this for me?&nbsp;&nbsp;Thanks&nbsp;

eliofek · Answer

jbchris&nbsp;, not sure how this is related to NTLM or RDP,
But to your last question:
the sensors initiate a connection to the cloud via HTTPS.
You can have the FW opened just for the specific endpoints in azure that you need for your workspace.
Another option is to configure the agents to connect via an internet&nbsp; proxy, if you prefer the DCs more separated, but eventually you need this data transferred to the AATP backend.

Forum Discussion

NTLM over RDP

5 Replies

Resources