https://live.paloaltonetworks.com/t5/general-topics/block-outbound-ntlm-auth/m-p/210097#M61381 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/48237">@DPoppleton</a>,</P><P>I would probably just ensure that 445, 137, 139 are blocked to the untrust interface. I wouldn't even do this by app-id unless you need those ports open for something else to function correctly. As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;already pointed out, this shouldn't be allowed by your configuration anyways.&nbsp;</P> Fri, 13 Apr 2018 20:03:14 GMT BPry 2018-04-13T20:03:14Z https://live.paloaltonetworks.com/t5/general-topics/block-outbound-ntlm-auth/m-p/209984#M61355 <P>With CVE-2018-0950 from Microsoft, if an outlook user clicks on an OLE object in an RTF email, the client will send credentials try to logon. Our security group is quite concerned about this.</P><P>&nbsp;</P><P>While allowing ports 445, 137 and 139 out to the internet is a really bad idea, they want to make sure that it is explicitly blocked. Is the application "ms-netlogon" the app to block? It includes many more ports than just the three mentioned above. Is anyone else doing this? Are 'we' just overreacting?</P> Fri, 13 Apr 2018 12:36:38 GMT https://live.paloaltonetworks.com/t5/general-topics/block-outbound-ntlm-auth/m-p/209984#M61355 DPoppleton 2018-04-13T12:36:38Z https://live.paloaltonetworks.com/t5/general-topics/block-outbound-ntlm-auth/m-p/210076#M61369 <P>I would think that your firewall policy would already be preventing that application; either by default or exception.</P><P>&nbsp;</P><P>If not, I don't think it would be over-reacting to ensure it's blocked.</P> Fri, 13 Apr 2018 18:41:59 GMT https://live.paloaltonetworks.com/t5/general-topics/block-outbound-ntlm-auth/m-p/210076#M61369 Brandon_Wertz 2018-04-13T18:41:59Z https://live.paloaltonetworks.com/t5/general-topics/block-outbound-ntlm-auth/m-p/210097#M61381 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/48237">@DPoppleton</a>,</P><P>I would probably just ensure that 445, 137, 139 are blocked to the untrust interface. I wouldn't even do this by app-id unless you need those ports open for something else to function correctly. As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;already pointed out, this shouldn't be allowed by your configuration anyways.&nbsp;</P> Fri, 13 Apr 2018 20:03:14 GMT https://live.paloaltonetworks.com/t5/general-topics/block-outbound-ntlm-auth/m-p/210097#M61381 BPry 2018-04-13T20:03:14Z