Create a Post
Parauser
Participant

NTLM V1 Required by Identity

I don't understand Checkpoint's position on this.    There are numerous security flaws with NTLM v1 and in addition to various security scanning tools, Microsoft is strongly advising the retirement of NTLM v1.   But Checkpoint identity solution requires it for their identity solution,  and specifically requires it be enabled on domain controllers.  It is pretty audacious for Checkpoint to  say this is not a Checkpoint issue.   

 

Solution
This is not a Check Point issue.

To fix this issue:

Open the Local Group Policy Editor from the DC: Windows key + R.

Type gpedit.msc and click on OK.

Go to Security Settings > Local Policies > Security Options.

Find the key LAN Manager authentication level. If it is set to "NTVLM2 only", change it to LM and NTVLM and V2 if negotiated or Not Defined.

0 Kudos
9 Replies
Lari_Luoma
Employee
Employee

NTLM v2 is supported and can be enabled. By default it’s disabled. See the admin guide for the relevant version for instructions how to enable it.

0 Kudos
Parauser
Participant

while i am hoping your response is correct, it make no sense.   Why didn't the original checkpoint guidance (posted in the OP)   provide the  instructions on how to enable NTLMv2  in checkpoint instead of instruct the poster how to downgrade Windows to accept NTLM v1 ?

0 Kudos
Lari_Luoma
Employee
Employee

What exactly doesn’t make sense? The fact that Check Point (not checkpoint) supports NTLMv2? What is this post that you refer to? The official resource of information is the admin guide.

0 Kudos
PhoneBoy
Admin
Admin

Assuming you're talking about AD Query, you can enable NTLMv2 as described here: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve... 
That said, you should probably be using Identity Collector instead. 
If this isn't what you're referring to, please provide some additional context. 

0 Kudos
Parauser
Participant

Please see SK 161972 of which I copied the main part into the OP.    When we deployed the registry so that the domain controllers would not authenticate NTLM V1, we started seeing the exact behavior from the SK.   The SK says this is not a Checkpoint issue and gives the instructions on how to allow the DCs to use NTLM V1 instead of referencing how to enable Checkpoint to use NTLM v2.  Perhaps it is just a recent ability to use V2 since the article.

0 Kudos
PhoneBoy
Admin
Admin

What specifically are you implementing this on?
Because this SK is specific to older SMB appliances, not CloudGuard (where you posted this) and believe it is specific to using AD Query.

0 Kudos
Parauser
Participant

We are having the exact the issue described in the SK.   We are running identity with Identity Collector.   We are also using LDAP account units on the the management server.   When we disallowed NTLM  V1 on the domain controllers and only allowed v2, we started getting the exact behaviour defined in the SK (authentication bad password because the domain controller can no longer authenticate with ntlm v1.     The SK said the solution is to go back and allow NTLM v1 on the domain controller which really is not a solution at all.

0 Kudos
PhoneBoy
Admin
Admin

Hm... @Royi_Priov can you comment on this?

0 Kudos
Royi_Priov
Employee
Employee

Hi @Parauser ,

The feature in question is AD Query, which does support NTLMv2 by default (and can be controled with adlogconfig command).

The solution you have mentioned is relevant to SMB products, and seems to be out of date - I will handle it.

 

In a general note, NTLMv1 is not mandatory to be used, and we understand the security concerns. Therefore it is not required by ADQ or any other identity source IDA offers.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D