NTLM FOR OUTLOOK ANYWHERE + EXCHANGE 2013 -- MITIGATING NTLM RELAY ATTACKS ON DC

Copper Contributor

Hi there,

We are using Outlook Anywhere and following are the settings :

ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

There was a Security Alert raised , recently couple of days back stating that NTLM should be disabled on the DC's as it has been attacked.

Below is the alert:

KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)

In order to check for this I enabled NTLM AUDITING on my DC's and can see the events related to my client computers connecting to CAS servers and also other servers. I am checking the logs under the below :

Microsoft-Windows-NTLM/Operational

1..

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: XXXXXX
User name: XXXXX
Domain name: XXXXXx
Workstation name: XXXXX
Secure Channel type: 2

2.

Secure Channel name: CAS01
User name: userid
Domain name: xxxxxxx
Workstation name: PC
Secure Channel type: 2

I am not sure what should I do, so if I disable NTLM on the DC's, is it going to cause any problem for Outlook Connectivity and the Email flow.

Waiting for your suggestions.

0 Replies