Can NTLM be disabled?
I have a site setup that runs under the NTLM authentication model.
The site uses IIS 6 with Windows Server 2024 SP2. This server has been setup to only serve out the default, ie, internet facing IP address (192.168.110). So we only allow access from the internet on this IP. My company is not a big one and does not need much functionality yet, but there will be some future expansion. What would best in order to prevent any malicious activity or user to break in to our system, such as a SQL injection attack, brute force login, cross site scripting attacks? Allowing the IP of 192.110 (the default) is the same as letting a user go to our site through 192.109. This means that if the internet is up, he could hit our website at 192. Is this a good idea? Or is there a better way to protect against such attacks? I know about firewalls, but is there anything else I can do?
Re: ? No it does not. If you have only a single ip, then you must assign that IP as the Default Zone for all of your hosts. In this scenario NTLM is the authentication mechanism. As soon as you assign your default zone to that IP you are allowing NTLM.
You can use the "Microsoft Active Directory" utility which comes with Windows Server 2024 to assign a single ip for all your workstations and servers. The following link shows how to do it: Also, make sure you review the Security settings under IIS6 in the "Advanced Settings". Those are typically left on default settings and are not sufficient to stop attacks. A good idea would be to enable the logging under "Error logging" to see exactly what happens when an attack takes place.
Hi MichaelFowler! Thank you for your response. Does the second link you gave explain how to assign the single ip? I would like to add more than one. We have a web server running on the internal network.
How do I disable NTLM authentication in IIS?
I'm trying to configure my test site on my Windows 2024 server so that I can access it via the standard browser, but I want to use NTLM authentication.
I have disabled WinNT authentication (to turn off the automatic creation of a certificate), but I cannot find where in IIS I can disable NTLM authentication. Any ideas? There's no configuration to disable NTLM on a per-site basis. Instead, you need to set the Authentication Type on the site to Negotiate and the Site Identity to use your computer account, not the current user account. Once you do that, you'll get a popup asking for your username and password, which is basically the same thing as how browsers handle NTLM/Negotiate authentication.
Related Answers
Which is more secure NTLM or Kerberos?
We're using NTLM over SSL (HTTPS) for our web server and authenticating against Active...
How do you check if NTLM is enabled on a server?
I have a Windows Server 2024 R2 domain controller that...
The Difference Between NTLM and Kerberos?
I've just been learning about ASP.Net authentication and when I...