cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 8
Report Inappropriate Content
Message 1 of 4

Disabling SMBv1 on NTLM AD Host

Hello,

We are trying to secure our environment against the SMBv1 exploits that are being flagged by nessus. (https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-i... ) (Stop using SMB1 | Server Storage at Microsoft  )

https://support.microsoft.com/en-us/kb/2696547

http://www.nessus.org/u?8dcab5e4

http://www.nessus.org/u?36fd3072

http://www.nessus.org/u?4c7e0cf3

This article says that mcafee uses SMB for part of it's NTLM auth procedure.:

We attempted disabling SMBv1 on one of our ADFS Hosts that MWG connects to - after reboot it was unable to communicate with it.

Is there a reliance on SMBv1 that can be circumvented with a configuration change or is this a issue with the product?

3 Replies
Highlighted

Re: Disabling SMBv1 on NTLM AD Host

See KB89350 -- MWG requires SMBv1 to be active on your ADFS or Domain Controller.

https://kc.mcafee.com/agent/index?page=content&id=KB89350

This is a ridiculous requirement, especially in light of Microsoft encouraging everyone to turn off the legacy protocol.  Hopefully the MWG team is working to support SMBv2 or later.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Disabling SMBv1 on NTLM AD Host

The McAfee Web Gateway NTLM integration does currently require SMBv1 to be enabled on the domain controllers used for authentication. McAfee is actively working on an integration using SMBv2 but that will take at least several months. In the interim there are many secure authentication options for our customers that would enable them to disable rather than patch SMBv1 on many or all DCs.

  1. Stand up or use patched domain controllers that still run SMBv1 for MWG to use (could be firewalled instead of patched so only allows SMB connections from other DCs and MWGs).
  2. Use the NTLM agent (does not need SMB)
  3. Use Kerberos with user group lookups via LDAP (does not need SMB)
  4. Use MCP for redirection to MWG when on premise (does not need SMB)

The cloud service never interacts directly with AD so it is unaffected by the disabling of SMBv1.

Official McAfee KB article here https://kb.mcafee.com/agent/index?page=content&id=KB89350

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?
Highlighted

Re: Disabling SMBv1 on NTLM AD Host

Thanks for the response and updates. Could you add the info about Kerberos/LDAP into KB89350 as well?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community