Use only Kerberos, disable NTLMv2

%3CLINGO-SUB%20id%3D%22lingo-sub-2827322%22%20slang%3D%22en-US%22%3EUse%20only%20Kerberos%2C%20disable%20NTLMv2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2827322%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20order%20to%20fix%20a%20security%20breach%20%22Microsoft%20ADV210003%3A%20Mitigating%20NTLM%20Relay%20Attacks%22%20I%20would%20like%20to%20disable%20the%20NTLM%20completely%20and%20to%20be%20sure%20to%20avoid%20impact%20I%20decide%20to%20audit%20the%20logon%20of%20my%20infrastructure%20in%20order%20to%20list%20if%20some%20application%20use%20it%20and%20to%20monitor%20user%20logon%20process.%20So%20I've%20enabled%20NTLM%20audit%20through%20GPO%20on%20some%20servers.%20I%20would%20like%20to%20understand%20the%20behavior%20I%20experience%20and%20get%20a%20confirmation%20if%20this%20is%20normal%20behavior%20...%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhen%20I%20logon%20through%20RDP%20on%20a%20server%20(hour%20is%20provided%20to%20help%20to%20understand%20the%20request%20order)%3A%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20At%201%3A46%3A00PM%2C%20This%20server%20shows%20in%20security%20log%20eventID%204624%20a%20logon%20process%20with%20NTLMv2%20%3D%26gt%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%22Authentication%20Package%3A%20NTLM%3CBR%20%2F%3ETransited%20Services%3A%20-%3CBR%20%2F%3EPackage%20Name%20(NTLM%20only)%3A%20NTLM%20V2%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20At%201%3A46%3A00PM%2C%20This%20server%20shows%20in%20%22Application%20and%20Services%20Logs-%26gt%3B%20Microsoft%20-%26gt%3B%20Windows%20-%26gt%3B%20NTLM%20section%20of%20the%20Event%20Viewer%22%20an%20eventID%208003%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%22NTLM%20server%20blocked%20in%20the%20domain%20audit%3A%20Audit%20NTLM%20authentication%20in%20this%20domain%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20At%201%3A46%3A03%2C%20In%20my%20Domain%20controller%2C%20I%20see%20in%20security%20eventlog%20an%20eventID%204624%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%22An%20account%20was%20successfully%20logged%20on%22%20with%20%22Logon%20Process%3A%20Kerberos%22%20%26amp%3B%20%22Authentication%20Package%3A%20Kerberos%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMy%20question%20is%20the%20follow%2C%20why%20when%20logon%20process%20the%20NTLMv2%20is%20used%20at%20first%20instead%20Kerberos%20%3F%20Kerberos%20should%20by%20the%20default%20authentication%20protocol%2C%20isn't%20it%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance%20for%20your%20support%20on%20this%20difficult%20topic%20(For%20me%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EBernard%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2827322%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Hi everyone,

In order to fix a security breach "Microsoft ADV210003: Mitigating NTLM Relay Attacks" I would like to disable the NTLM completely and to be sure to avoid impact I decide to audit the logon of my infrastructure in order to list if some application use it and to monitor user logon process. So I've enabled NTLM audit through GPO on some servers. I would like to understand the behavior I experience and get a confirmation if this is normal behavior ...

 

When I logon through RDP on a server (hour is provided to help to understand the request order):

- At 1:46:00PM, This server shows in security log eventID 4624 a logon process with NTLMv2 => 

"Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2"

- At 1:46:00PM, This server shows in "Application and Services Logs-> Microsoft -> Windows -> NTLM section of the Event Viewer" an eventID 8003

"NTLM server blocked in the domain audit: Audit NTLM authentication in this domain"

- At 1:46:03, In my Domain controller, I see in security eventlog an eventID 4624 

"An account was successfully logged on" with "Logon Process: Kerberos" & "Authentication Package: Kerberos"

My question is the follow, why when logon process the NTLMv2 is used at first instead Kerberos ? Kerberos should by the default authentication protocol, isn't it ?

Thanks in advance for your support on this difficult topic (For me ;)

Regards,

Bernard

0 Replies