NTLM FOR OUTLOOK ANYWHERE + EXCHANGE 2013 -- MITIGATING NTLM RELAY ATTACKS ON DC

%3CLINGO-SUB%20id%3D%22lingo-sub-2590824%22%20slang%3D%22en-US%22%3ENTLM%20FOR%20OUTLOOK%20ANYWHERE%20%2B%20EXCHANGE%202013%20--%20MITIGATING%20NTLM%20RELAY%20ATTACKS%20ON%20DC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2590824%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3EWe%20are%20using%20Outlook%20Anywhere%20and%20following%20are%20the%20settings%20%3A%3C%2FP%3E%3CP%3EExternalClientAuthenticationMethod%20%3A%20Ntlm%3CBR%20%2F%3EInternalClientAuthenticationMethod%20%3A%20Ntlm%3CBR%20%2F%3EIISAuthenticationMethods%20%3A%20%7BBasic%2C%20Ntlm%2C%20Negotiate%7D%3C%2FP%3E%3CP%3EThere%20was%20a%20Security%20Alert%20raised%20%2C%20recently%20couple%20of%20days%20back%20stating%20that%20NTLM%20should%20be%20disabled%20on%20the%20DC's%20as%20it%20has%20been%20attacked.%3C%2FP%3E%3CP%3EBelow%20is%20the%20alert%3A%3C%2FP%3E%3CP%3EKB5005413%3A%20Mitigating%20NTLM%20Relay%20Attacks%20on%20Active%20Directory%20Certificate%20Services%20(AD%20CS)%3C%2FP%3E%3CP%3EIn%20order%20to%20check%20for%20this%20I%20enabled%20NTLM%20AUDITING%20on%20my%20DC's%20and%20can%20see%20the%20events%20related%20to%20my%20client%20computers%20connecting%20to%20CAS%20servers%20and%20also%20other%20servers.%20I%20am%20checking%20the%20logs%20under%20the%20below%20%3A%3C%2FP%3E%3CP%3EMicrosoft-Windows-NTLM%2FOperational%3C%2FP%3E%3CP%3E1..%3C%2FP%3E%3CP%3EDomain%20Controller%20Blocked%20Audit%3A%20Audit%20NTLM%20authentication%20to%20this%20domain%20controller.%3CBR%20%2F%3ESecure%20Channel%20name%3A%20XXXXXX%3CBR%20%2F%3EUser%20name%3A%20XXXXX%3CBR%20%2F%3EDomain%20name%3A%20XXXXXx%3CBR%20%2F%3EWorkstation%20name%3A%20XXXXX%3CBR%20%2F%3ESecure%20Channel%20type%3A%202%3C%2FP%3E%3CP%3E2.%3C%2FP%3E%3CP%3ESecure%20Channel%20name%3A%20CAS01%3CBR%20%2F%3EUser%20name%3A%20userid%3CBR%20%2F%3EDomain%20name%3A%20xxxxxxx%3CBR%20%2F%3EWorkstation%20name%3A%20PC%3CBR%20%2F%3ESecure%20Channel%20type%3A%202%3C%2FP%3E%3CP%3EI%20am%20not%20sure%20what%20should%20I%20do%2C%20so%20if%20I%20disable%20NTLM%20on%20the%20DC's%2C%20is%20it%20going%20to%20cause%20any%20problem%20for%20Outlook%20Connectivity%20and%20the%20Email%20flow.%3C%2FP%3E%3CP%3EWaiting%20for%20your%20suggestions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2590824%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

Hi there,

We are using Outlook Anywhere and following are the settings :

ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

There was a Security Alert raised , recently couple of days back stating that NTLM should be disabled on the DC's as it has been attacked.

Below is the alert:

KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)

In order to check for this I enabled NTLM AUDITING on my DC's and can see the events related to my client computers connecting to CAS servers and also other servers. I am checking the logs under the below :

Microsoft-Windows-NTLM/Operational

1..

Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: XXXXXX
User name: XXXXX
Domain name: XXXXXx
Workstation name: XXXXX
Secure Channel type: 2

2.

Secure Channel name: CAS01
User name: userid
Domain name: xxxxxxx
Workstation name: PC
Secure Channel type: 2

I am not sure what should I do, so if I disable NTLM on the DC's, is it going to cause any problem for Outlook Connectivity and the Email flow.

Waiting for your suggestions.

0 Replies