Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Ryan
Advisor

NTLM hardening

Hi we use Identity awareness but only with terminal server and single user agents installed on the PC. Our server admins can see the IA service account logging into the domain with ntlmv1, we have selected "Kerberos" under the ldap account unit, is my understanding correct that they can disable ntlmv1 server side and Check Point will just start negotiating it use ntlmv2? Is there anything I need to do on the CP side?

R81.10

 

thanks

0 Kudos
4 Replies
Ruan_Kotze
Advisor

You'd need to run 'adlogconfig' on as well.  Check out the "Use AD Query with NTLMv2" in the IA Admin Guide.

Ryan_Ryan
Advisor

thanks but I am wondering is that really required if we are not running adquery?

0 Kudos
the_rock
Legend
Legend

I think it might be required.

0 Kudos
PhoneBoy
Admin
Admin

Make sure the Domain Controller is set to "Send NTLMv2 response only and refuse LM and NTLM."
This is required where you want to force NTLMv2 in places.
I thought the Identity Agents were using Kerberos by now?
Make sure you're on the most recent version here: https://support.checkpoint.com/results/sk/sk134312 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events