thousands of NTLM requests per day

thousands of NTLM requests per day

[Andrew Schulman]

I got a call from our domain admins, asking me if I knew why my Windows 7
host would be sending many thousands of NTLMv1 authentication requests per
day. I don't know, and we're still trying to find out which application is
doing that, but here's what I wonder:

Could Cygwin be responsible for the authentication requests? I wonder about
this because Cygwin now queries Windows for user and group information that
used to be kept statically in /etc/passwd and /etc/group.

I don't know much about this. Sorry if it's an obtuse question. Any general
information would be appreciated.

Andrew


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: thousands of NTLM requests per day

[Andrey Repin]

Greetings, Andrew Schulman!

> I got a call from our domain admins, asking me if I knew why my Windows 7
> host would be sending many thousands of NTLMv1 authentication requests per
> day. I don't know, and we're still trying to find out which application is
> doing that, but here's what I wonder:

> Could Cygwin be responsible for the authentication requests? I wonder about
> this because Cygwin now queries Windows for user and group information that
> used to be kept statically in /etc/passwd and /etc/group.

Do you use cygserver ? If not, try to set it up, it should help with domain
information caching. If the problem you observe is caused by Cygwin activity,
you should see a decrease in such requests.

> I don't know much about this. Sorry if it's an obtuse question. Any general
> information would be appreciated.


-- 
With best regards,
Andrey Repin
Tuesday, February 28, 2017 19:28:37

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: thousands of NTLM requests per day

[Andrew Schulman]

> Greetings, Andrew Schulman!
> 
> > I got a call from our domain admins, asking me if I knew why my Windows 7
> > host would be sending many thousands of NTLMv1 authentication requests per
> > day. I don't know, and we're still trying to find out which application is
> > doing that, but here's what I wonder:
> 
> > Could Cygwin be responsible for the authentication requests? I wonder about
> > this because Cygwin now queries Windows for user and group information that
> > used to be kept statically in /etc/passwd and /etc/group.
> 
> Do you use cygserver ? If not, try to set it up, it should help with domain
> information caching. If the problem you observe is caused by Cygwin activity,
> you should see a decrease in such requests.

Thanks for the suggestion, Andrey. I'll keep it in mind for next time.

For the archive, this problem was unrelated to Cygwin. Jeffrey Altman answered
offline that "NTLM requests will be sent from the svchost.exe service when a
remote desktop connection is initiated." So I looked into the Nomachine NX
service that was running on my host, and found that it was responsible. I
disabled the service and the requests stopped.

So, not a Cygwin problem. Sorry for the noise, and thanks for the help.

Andrew


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple