This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2024-06-21 08:23 PM

NTLM hardening

Hi we use Identity awareness but only with terminal server and single user agents installed on the PC. Our server admins can see the IA service account logging into the domain with ntlmv1, we have selected "Kerberos" under the ldap account unit, is my understanding correct that they can disable ntlmv1 server side and Check Point will just start negotiating it use ntlmv2? Is there anything I need to do on the CP side?

R81.10

 

thanks

Labels
0 Kudos
4 Replies
Ruan_Kotze
Advisor
‎2024-06-22 01:03 AM

You'd need to run 'adlogconfig' on as well.  Check out the "Use AD Query with NTLMv2" in the IA Admin Guide.

Ryan_Ryan
Advisor
‎2024-06-23 02:24 PM
In response to Ruan_Kotze

thanks but I am wondering is that really required if we are not running adquery?

0 Kudos
the_rock
Legend
Legend
‎2024-06-23 04:43 PM
In response to Ryan_Ryan

I think it might be required.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-24 12:06 PM

Make sure the Domain Controller is set to "Send NTLMv2 response only and refuse LM and NTLM."
This is required where you want to force NTLMv2 in places.
I thought the Identity Agents were using Kerberos by now?
Make sure you're on the most recent version here: https://support.checkpoint.com/results/sk/sk134312 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top