This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_Herselman
Advisor
‎2022-12-20 12:50 AM
Jump to solution

CheckPoint Identity Collector requires NTLM? Does not use Kerberos?

We have made good progress on depreciating all versions of NTLM in our environment. With us getting assistance from Microsoft premier support, from a non-public knowledge base article, we were able to migrate AD CS (Active Directory Certificate Services) over to Kerberos as well for automated certificate enrolment interactions.

CheckPoint identity awareness is now the last remaining item in our environment which appears to break when we disable NTLM completely. Surely CheckPoint, as a security focused vendor, have a method for gateways to retrieve the security event logs without relying on NTLM?

Group Policy (GPOs) are applied to members servers and workstations to disable NTLM:

gpo_ntlm_disabled_everywhere.png

 

This then breaks CheckPoint Identity Collector, unless we apply the following policy just to the DCs (whilst continuing to apply the above policy to the dedicated Windows Server 2022 host running Check Point Identity Collector v81.035.0000). The following GPO is exclusively applied to our Domain Controllers:

gpo_ntlm_enabled_only_on_DCs.png

 

With this applied everything works perfectly:

fwcp_idcollect_status_ok.png

 

Wanted to reach out to the community before opening a case with TAC, we have Kerberos AES integration working between the gateways and the DCs, it's purely the Identity Awareness application which does not appear to provide support for Kerberos.

 

Edit:

My unenlightened understanding is that the DCOM call from the Identity Collector to the DC isn't using NTLM, otherwise it should have been blocked by the GPO blocking any and all NTLM. I thus presume the NTLM auth is within the LDAP TLS tunnels to the individual DCs then.

Problem currently is that the NTLM auth doesn't originate from anywhere, we can't even lock down NTLM by adding an exception via the 'Network security: Restrict NTLM: Add server exceptions in this domain' GPO.

Herewith a sample:

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: 4
Calling process name:
Calling process LUID: 0x3E7
Calling process user identity: REDACTEDDC01$
Calling process domain identity: REDACTED
Mechanism OID: 1.3.6.1.4.1.311.2.2.10

Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.

Labels
0 Kudos
9 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events