Block outbound NTLM auth

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Block outbound NTLM auth

L3 Networker

With CVE-2018-0950 from Microsoft, if an outlook user clicks on an OLE object in an RTF email, the client will send credentials try to logon. Our security group is quite concerned about this.

 

While allowing ports 445, 137 and 139 out to the internet is a really bad idea, they want to make sure that it is explicitly blocked. Is the application "ms-netlogon" the app to block? It includes many more ports than just the three mentioned above. Is anyone else doing this? Are 'we' just overreacting?

2 REPLIES 2

L6 Presenter

I would think that your firewall policy would already be preventing that application; either by default or exception.

 

If not, I don't think it would be over-reacting to ensure it's blocked.

Cyber Elite
Cyber Elite

@DPoppleton,

I would probably just ensure that 445, 137, 139 are blocked to the untrust interface. I wouldn't even do this by app-id unless you need those ports open for something else to function correctly. As @Brandon_Wertz already pointed out, this shouldn't be allowed by your configuration anyways. 

  • 3263 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!