brain-dump/sysadmin/windows/active-directory/disabling-ntlm-domain-controllers.md

Disabling NTLM Authentication on Domain Controllers

Reject authentications to domain controllers sent over NTLM.

What was Affected (in my environment)

• Synology shared drives
• RDP via Linux clients (not joined to the domain)
• Papercut (IP referenced in config)
• Radius (IP-based)

GPO to Disable NTLM

• Domain Controllers / Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Network security: Restrict NTLM: Incoming NTLM traffic = Deny All Accounts

Fix for Shared Drives

GPO to allow NTLM connections, but only for the specified clients:

• Domain Controllers / Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Network security: Restrict NTLM: Add server exceptions in this domain =

  shareddrives
  shareddrives.example.com
  

  • Does this reopen the PetitPotnam or other replay attack vulnerabilities?
  • No. SMB signing is enabled (this should prevent NTLM relay attacks, based on my understanding of the exploits)
    • In the Synology GUI:
    • Control Panel > Domain/LDAP > Domain Options > Enable server signing: force
  • Worth noting, there's a performance degradation tradeoff, though
    • SMB1 should be disabled; SMB2 & SMB3 should be enabled on Synology servers

Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks. source

Fix for RDP from Linux clients

Use Kerberos ticket pre-auth.

• Setting up Kerberos auth on Debian desktops

Generate a Kerberos Ticket on Debian

Case-sensitive

kinit mydomainuser@EXAMPLE.COM

Using RDP

After getting the Kerberos ticket, I still had to make some changes in Remmina (my choice of RDP client on Linux):

What changed between NTLM auth and Kerberos auth?

• Under Basic:

  • Domain must be specified
  • Username must be full user@example.com instead of user
  • FQDN under server must be used; using IP addresses fails

• Under Advanced:

  • Security protocol negotiation must be set to TLS protocol security

Auto-renewing Kerberos tickets

Optional: kstart

---

Fix for Papercut

Pending testing

---

Fix for Radius

Pending testing; some AP controllers only have IP requested; errors out on FQDN. Looking for workarounds.

• Most APs set to FQDN for Radius server settings