none
Disable NTLM

    Question

  • I need to disable NTLM on server 2008 & 2012 (Web-Servers, no Active Directory), but still want to access RDP via NTLM v2 from Windows 8.1 & Windows 10, is that possible?

    • Edited by VikasRana Thursday, September 15, 2016 12:26 PM
    Thursday, September 15, 2016 11:30 AM

Answers

All replies

  • Yes, it is possible, as NTLM is disabled by default in new installations of AD DS 2008 and 2012.  Kerberos is the default protocol used for authentication on AD domain-joined machines; if NTLM is not disabled then tailback to NTLM is allowed if for some reason Kerberos authentication fails.   Please see How to enable Single Sign-On for my Terminal Server connections


    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, September 15, 2016 11:55 AM
  • Hi Todd,

    Thanks for the quick response but it looks like Single Sign-On is for domain servers. The servers I've are web-servers open to internet. Active directory is not installed and also they are not connected to any domain.

    Thursday, September 15, 2016 12:25 PM
  • In this case of standalone machine, logons are controlled by machine local Security Accounts Manager database and NTLM is the mandatory authentication protocol then.   There is no way around that.   You can however, secure the connection with SSL certificates and TLS around that though.

    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, September 15, 2016 12:55 PM
  • The connections are already secure but I'm still getting lots of 4625 event logs without IP address on daily basis. One of my server got hacked in 2014, after that I created my own intrusion detection software but the 4625 was still there, I've also tried different intrusion detection software but non of them have courage to block the 4525 attacks

    Thursday, September 15, 2016 1:16 PM
  • Any server wide open to the Internet is going to have hack attempts.  You should better secure it by placing a firewall in front of it, or some other hardened edge device like an F5, and force an authentication first through that, before reaching your server.  This will clean up your logs because there will not be any more directed attacks against the server from that point.

    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, September 15, 2016 1:22 PM
  • This is not answer to my question and I'm familiar with these things. I know it can be done, just need to know how..

    Found this on internet:




    • Edited by VikasRana Thursday, September 15, 2016 2:21 PM
    Thursday, September 15, 2016 2:17 PM
  • I'll actually take issue with the statement "This is not the answer".  I did, in fact, answer the question.  You've mis-interpreted the Internet source you cited which stated "...NTLM: is changed to "LogonType":"10","LogonProcessName":"User32 ","AuthenticationPackageName":Negotiate".  

    "Negotiate" method of authentication is either Kerberos or NTLM in the Microsoft world.  And you can't do Kerberos, Microsoft-wise, except inside an AD environment. This leave only NTLM, in non-AD environment available, which is only "Negotiate" mechanism available.

    But let's not argue further over that point.  I can assure you that if you block inbound NTLM traffic to a standalone (non-domain joined) Windows server, you will not be able to authenticate to it.  As a test for you, I just blocked inbound NTLM traffic via the same local GPO you cited and the standalone server rejected my logon attempt with the message "An authentication error has occurred."   If you see articles concerning SSL and TLS with respect to securing RDP services, that is talking about encrypting the RDP traffic stream inside SSL or TLS by use of certificates, which adds on further security hardening but does not change the method of actual user authentication into the server.


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Todd Heron Saturday, October 22, 2016 3:50 AM
    Thursday, September 15, 2016 8:16 PM
  • I'm sorry but I wasn't rude on your reply.

    Anyhow I found a solution to connect RDP and keep the NTLM disabled.

    Thanks for your time




    • Edited by VikasRana Friday, September 16, 2016 9:19 PM
    Friday, September 16, 2016 8:26 PM
  • Hi,

    Glad to hear that you finally got a solution by yourself. Meanwhile, would you please share the resolution in the forum as it would be helpful to anyone who encounters similar issues?

    Thanks and Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 19, 2016 2:34 AM
    Moderator
  • Hi,

    Sorry for this late reply. The solution I found is to disable NTML and connect RDP using the non NTML option. This way User32 will appear as login process with source network address in security event log 4625.

    I've created a video for the same on youtube:

    https://www.youtube.com/watch?v=V0v-xGBQRRk

    Thanks


    Friday, October 28, 2016 5:37 PM