I want to disable NTLM completely. I don't want password hash to be stored in memory because of pass-the-hash attack (people don't have SeDebugPrivilege but anyway NTLM is not good)
But people connect to workspace via RDP from their homes. I can use VPN + RD Gateway, but still people will use passwords and NTLM for RDP.
Is there any way to fix it?
If no, can I configure RD gateway somehow to get Kerberos tickets on behalf of users, so they only use NTLM for RD gateway, but not for other resources?
In other words, how can I eliminate NTLM or decrease number of its usages when I have remote users?