Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 8180 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NTLM Authentication requires insecure SMB1 protocol?

Bill Roland

As I hope everyone knows by now, Microsoft is strongly urging everyone to disable SMB1 on all Windows computers.  Imagine my surprise to see, after disabling it, that the XG log viewer filled up with "Cannot establish NTLM authentication channel with Domain" and on the Domain Controller I see repeated in the DC event log:

SMB1 access

Client Address: 10.1.10.200

Guidance:

This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

I would consider this to be a huge failing that needs to be addressed immediately. 



This thread was automatically locked due to age.
  • 0

    Bill,

    Why you are not using STAS? It seems on mr6 they released a fix for stas when users disconnect.

    On utm the fix for smb has been released. For XG line.....I suppose a new update will come soon.

    Regards

  • 0 in reply to lferrara

    Hi Luk,

    I am in fact using STAS.  I just noticed when I disabled SMB1 on my DC's that the logs were filling up with the XG failing to establish an NTLM channel.  I guess I was just surprised to see it still using SMB1, something Microsoft has been very clear has been considered deprecated for nearly 11 years now. I noticed that the Knowledgebase Article didn't mention XG getting an update to replace SMB1 with SMB2, hopefully Sophos can comment on whether or not that is planned for MR7. 

    Can I turn NTLM off so that the logs don't fill up with failed attempts?