DEV Community

ASPBR Tech
ASPBR Tech

Posted on • Originally published at aspbrtech.com

Disabling NTLM by Default

#windows

title: Disabling NTLM by Default
description: A step-by-step guide on disabling NTLM for better security.
tags: linux,devops,cloud,aws

Introduction to NTLM

NTLM (NT LAN Manager) is a suite of security protocols used for authentication and session security in Microsoft environments. While it provides a certain level of security, NTLM has been largely superseded by more modern and secure authentication protocols like Kerberos. Disabling NTLM can significantly improve the security posture of your network by reducing the attack surface.

Problem Context

NTLM is an older protocol with known vulnerabilities, making it a target for attackers. By default, many systems still have NTLM enabled, which can lead to security risks if not properly managed. Disabling NTLM by default is a recommended best practice to enhance security and comply with modern security standards.

Step-by-Step Guide to Disabling NTLM

Disabling NTLM involves configuring both client and server settings. Here\'s how you can do it:

For Windows Clients

On Windows clients, you can disable NTLM through the Local Group Policy Editor or via registry edits. To do this through the Group Policy Editor:

  1. Open the Local Group Policy Editor (gpedit.msc).
  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  3. Find the policy named Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.
  4. Enable this policy and set the option to Deny All.

Alternatively, you can achieve this through a registry edit:

reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f
Enter fullscreen mode Exit fullscreen mode

For Linux Clients

On Linux systems, especially those integrated with Active Directory, you might need to configure your authentication settings to prefer Kerberos over NTLM. This can often be done by adjusting the sssd configuration or pam settings.

For example, to configure sssd to use Kerberos, you might add the following lines to your sssd.conf file:

[sssd]
config_file_version = 2
services = nss, pam
domains = yourdomain.com

[domain/yourdomain.com]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = False
use_fully_qualified_names = True
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/yourhost@YOURDOMAIN.COM
Enter fullscreen mode Exit fullscreen mode

Practical Tips

  • Monitor Your Environment: Before making changes, monitor your environment to understand which applications or services rely on NTLM. This will help you assess the impact of disabling NTLM.
  • Test Thoroughly: After configuring the changes, thoroughly test all affected systems and applications to ensure no disruptions occur.
  • Maintain Documentation: Keep detailed documentation of the changes made and the reasoning behind them. This is crucial for future audits and troubleshooting.

Conclusion

Disabling NTLM by default is a critical step in enhancing the security of your network. By following the steps outlined above and considering the practical tips provided, you can effectively reduce the risk associated with using an outdated authentication protocol. Remember, security is an ongoing process, and staying up to date with the latest best practices is key to protecting your environment.

Originally published on AspbrTech

Top comments (0)