RMM Scripting with NTLM / NetBT Disabled

RMM script sets Service Principle Name for Admin Share Kerberos Authentication.

Relevance

Last Review: January 26, 2022

Product(s): Delta Methodology

Author(s): Matthew Born

Delta

A cyberist created this article using the patented Delta Method by modernizing a typical approach.

Reference

Summary

NTLM and NetBT are insecure authentication methods, leaving them vulnerable to attack. Best practice is to disable both to use only Kerberos in a Windows environment. However, Kerberos will not authenticate by IP by design including Admin shares necessary for pushing remote scripts in some environments. Restoring this functionality is done by manually assigning the host(s) IP to a Service Principal Name (SPN) in the Active Directory computer object, and by adding a registry key to the client.

Requirements

  • Domain Admin Account
  • RMM / Onsite Manager
  • AddSPNHostRemote.ps1 and RemoveSPNHostRemote.ps1
  • List of domain computers in notepad file at C:\Support\Scripts\computers.txt
  • Devices much be online
  • 15 to 30 minutes effort

Steps

  1. Log onto the server with the Onsite Manager and open a command prompt. Instruct Kerberos to attempt IP authentication by issuing the following command reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v TryIPSPN /t REG_DWORD /d 1 /f
  2. Place computers.txt, AddSPNRemoteHost.ps1 and RemoveSPNRemoteHost.ps1 in C:\Support\Scripts\
  3. Right click AddSPNHostRemote.ps1 and click Edit. Replace xxxPASSWORDINPLAINTEXTxxx on Line 6 with your Domain Admin password.
  4. On Line 7, replace Domain\Domain Admin with your Domain Admin username.
  5. Click File and then Save. Close your PowerShell ISE window.
  6. Run AddSPNHostRemote.ps1 by entering the following command "C:\Support\Scripts\AddSPNHostRemote”
  7. Open AddSPNHostRemote and remove your username and password.

Follow-up

Verify the addition of the SPN for one computer in your computers.txt file by opening a command prompt and entering the following setspn -l COMPUTERNAME. If successful, you will see an entry for HOST/x.x.x.x with x.x.x.x being the computer’s IP address. Verify again you have removed all passwords and usernames from your script.

Your environment is now prepped for running scripts through Admin shares by IP. However, SPNs do not change automatically when DHCP changes the machine’s IP address. Leaving manual SPNs in a DHCP environment is not recommended. After you have ran your script, repeat Steps 3 – 5, instead running RemoteSPNHostRemote.Ps1 to ensure all changes have been reversed. Again, ensure you remove your username and password from your script once completed./p>