Disable Fallback to NTLM
Within SCCM's client push installation properties, there exists a setting to "Allow connection fallback to NTLM." This setting allows the site server to fallback to NTLM if Kerberos fails (Figure 1).
Figure 1 - Client Push Installation Properties
Adversaries commonly abuse NTLM authentication by coercing computers to authenticate to an attacker-controlled machine then either capturing or relaying the authentication to another resource.
Disabling this setting prevents the use of NTLM authentication and coercion.
NOTE: This technique must be used in conjunction with PREVENT-1.
- PREVENT-1: Patch site server with KB15599094
- PREVENT-5: Disable automatic side-wide client push installation
- ELEVATE-2: NTLM relay via automatic client push installation
- ELEVATE-3: NTLM relay via automatic client push installation and AD System Discovery
- Chris Thompson, Coercing NTLM Authentication from SCCM