topic Re: NTLM V1 Required by Identity in Cloud Firewall

NTLM V1 Required by Identity

Parauser — Mon, 03 May 2021 18:22:49 GMT

I don't understand Checkpoint's position on this. There are numerous security flaws with NTLM v1 and in addition to various security scanning tools, Microsoft is strongly advising the retirement of NTLM v1. But Checkpoint identity solution requires it for their identity solution, and specifically requires it be enabled on domain controllers. It is pretty audacious for Checkpoint to say this is not a Checkpoint issue.

Solution
This is not a Check Point issue.

To fix this issue:

Open the Local Group Policy Editor from the DC: Windows key + R.

Type gpedit.msc and click on OK.

Go to Security Settings > Local Policies > Security Options.

Find the key LAN Manager authentication level. If it is set to "NTVLM2 only", change it to LM and NTVLM and V2 if negotiated or Not Defined.

Re: NTLM V1 Required by Identity

Lari_Luoma — Mon, 03 May 2021 20:53:08 GMT

NTLM v2 is supported and can be enabled. By default it’s disabled. See the admin guide for the relevant version for instructions how to enable it.

Re: NTLM V1 Required by Identity

Parauser — Mon, 03 May 2021 21:45:19 GMT

while i am hoping your response is correct, it make no sense. Why didn't the original checkpoint guidance (posted in the OP) provide the instructions on how to enable NTLMv2 in checkpoint instead of instruct the poster how to downgrade Windows to accept NTLM v1 ?

Re: NTLM V1 Required by Identity

Lari_Luoma — Tue, 04 May 2021 01:01:09 GMT

What exactly doesn’t make sense? The fact that Check Point (not checkpoint) supports NTLMv2? What is this post that you refer to? The official resource of information is the admin guide.

Re: NTLM V1 Required by Identity

PhoneBoy — Tue, 04 May 2021 01:11:48 GMT

Assuming you're talking about AD Query, you can enable NTLMv2 as described here: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk91462
That said, you should probably be using Identity Collector instead.
If this isn't what you're referring to, please provide some additional context.

Re: NTLM V1 Required by Identity

Parauser — Tue, 04 May 2021 13:56:11 GMT

Please see SK 161972 of which I copied the main part into the OP. When we deployed the registry so that the domain controllers would not authenticate NTLM V1, we started seeing the exact behavior from the SK. The SK says this is not a Checkpoint issue and gives the instructions on how to allow the DCs to use NTLM V1 instead of referencing how to enable Checkpoint to use NTLM v2. Perhaps it is just a recent ability to use V2 since the article.

Re: NTLM V1 Required by Identity

PhoneBoy — Tue, 04 May 2021 16:14:24 GMT

What specifically are you implementing this on?
Because this SK is specific to older SMB appliances, not CloudGuard (where you posted this) and believe it is specific to using AD Query.

Re: NTLM V1 Required by Identity

Parauser — Tue, 04 May 2021 16:55:37 GMT

We are having the exact the issue described in the SK. We are running identity with Identity Collector. We are also using LDAP account units on the the management server. When we disallowed NTLM V1 on the domain controllers and only allowed v2, we started getting the exact behaviour defined in the SK (authentication bad password because the domain controller can no longer authenticate with ntlm v1. The SK said the solution is to go back and allow NTLM v1 on the domain controller which really is not a solution at all.

Re: NTLM V1 Required by Identity

PhoneBoy — Tue, 04 May 2021 21:53:44 GMT

Hm... @Royi_Priov can you comment on this?

Re: NTLM V1 Required by Identity

Royi_Priov — Wed, 05 May 2021 06:19:51 GMT

Hi @Parauser ,

The feature in question is AD Query, which does support NTLMv2 by default (and can be controled with adlogconfig command).

The solution you have mentioned is relevant to SMB products, and seems to be out of date - I will handle it.

In a general note, NTLMv1 is not mandatory to be used, and we understand the security concerns. Therefore it is not required by ADQ or any other identity source IDA offers.