Block outbound NTLM auth

Reply
L3 Networker

Block outbound NTLM auth

With CVE-2018-0950 from Microsoft, if an outlook user clicks on an OLE object in an RTF email, the client will send credentials try to logon. Our security group is quite concerned about this.

 

While allowing ports 445, 137 and 139 out to the internet is a really bad idea, they want to make sure that it is explicitly blocked. Is the application "ms-netlogon" the app to block? It includes many more ports than just the three mentioned above. Is anyone else doing this? Are 'we' just overreacting?

L6 Presenter

Re: Block outbound NTLM auth

I would think that your firewall policy would already be preventing that application; either by default or exception.

 

If not, I don't think it would be over-reacting to ensure it's blocked.

L7 Applicator

Re: Block outbound NTLM auth

@DPoppleton,

I would probably just ensure that 445, 137, 139 are blocked to the untrust interface. I wouldn't even do this by app-id unless you need those ports open for something else to function correctly. As @Brandon_Wertz already pointed out, this shouldn't be allowed by your configuration anyways. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!