Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Group Policies / How to Disable NTLM Authentication in Windows Domain?

September 24, 2019 Active DirectoryGroup PoliciesSecurityWindows Server 2012 R2

How to Disable NTLM Authentication in Windows Domain?

NTLM (NT LAN Manager) has been used as the basic Microsoft authentication protocol for quite a long time: since Windows NT. Although Microsoft introduced a more secure Kerberos authentication protocol in Windows 2000, the NTLM (generally, it is NTLMv2) is still widely used for authentication on Windows domain networks. In this article, we’ll consider how to disable NTLMv1 and NTLMv2 protocols and start using Kerberos in your Active Directory domain.

The main NTLMv1 problems:

  • weak encryption;
  • storing password hash in the memory of the LSA service that can be extracted using different tools (like mimikatz) and then the hash may be used for further attacks;
  • the absence of mutual authentication between a server and a client that results in data interception attacks and unauthorized access to network resources (some tools such as Responder can capture NTLM data sent over the network and use them to access the network resources);
  • and other vulnerabilities.

Some of them were fixed in the next version NTLMv2 which uses more secure encryption algorithms and allows to prevent popular NTLM attacks. NTLMv1 and LM authentification protocols are disabled by default starting with Windows 7 / Windows Server 2008 R2.

Contents:
  • Configuring GPO to Force NTLMv2
  • How to Enable NTLM Authentication Audit Logging?
  • How to Completely Restrict NTLM in Active Directory Domain?

Configuring GPO to Force NTLMv2

If you have thought about stopping the use of NTLM in your domain, first of all, you must make sure that you are not using its more vulnerable version – NTLMv1. Your network may have a number of legacy devices or services that are still using NTLMv1 authentication instead of NTLMv2 (or Kerberos). So, prior to disabling it completely, read the NTLM authentication event audit section in this article.

Small open source products, old models of different network scanners (that save the scans to shared network folders), some NAS devices and other old hardware, software and OSs are likely to have the authentication problems when disabling NTLMv1.

First of all, the domain administrator needs to make sure that the NTLM and LM protocols are prohibited to be used for authentication in domain, since in some cases an attacker can use special requests to receive a response to an NTLM/LM request.

You can set the preffered authentication type using the domain (or local) policy. Open the Group Policy Management Editor (gpmc.msc) and edit the Default Domain Policy. Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policy Network Security: LAN Manager authentication level.

Network Security: LAN Manager authentication level - disable ntlm v1 and lm

There are 6 options in the policy settings:

  1. Send LM & NTLM responses;
  2. Send LM & NTLM responses – use NTLMv2 session security if negotiated;
  3. Send NTLM response only;
  4. Send NTLMv2 response only;
  5. Send NTLMv2 response only. Refuse LM;
  6. Send NTLMv2 response only. Refuse LM& NTLM.

The policies of using NTLM authentication are given in the order of their security improvement. By default, Windows 7 and newer OSs use the option Send NTLMv2 response only. If this option is enabled, client computers use NTLMv2 authentication, but AD domain controllers accept LM, NTLM and NTLMv2 requests.

NTLMv2 can be used if Kerberos protocol didn’t work, for some operations (for example, when managing local groups and accounts on domain-joined computers) or in workgroups.

You can change the policy value to the most secure 6 option : “Send NTLMv2 response only. Refuse LM & NTLM”. If you configure this setting on a domain controllers, they will reject all LM and NTLMv1 requests.

You can also disable NTLMv1 through the registry. To do it, create a DWORD parameter with the name LmCompatibilityLevel and the value 0-5 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa. Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.

Make sure that the Network security: Do not store LAN Manager hash value on next password change policy is enabled in the same GPO section. It is enabled by default starting with Windows Vista / Windows Server 2008 and prevents creating LM hash.

Network security: Do not store LAN Manager hash value on next password change

Don’t forget to apply this policy to your domain controllers.

If you have made sure that you are not using NTLMv1, you can go further and try to disable the NTLMv2. NTLMv2 is a more secure authentication protocol, but it is much behind Kerberos in terms of security (although there are fewer vulnerabilities in NTLMv2 than in the NTLMv1, but there is still a chance of capturing and reusing data, as well as it doesn’t support mutual authentication).

The main risk of disabling NTLM is the potential usage of legacy or incorrectly configured applications that can still use NTLM authentication. In this case, you will have to update or configure them in a special way to switch to Kerberos.

How to Enable NTLM Authentication Audit Logging?

Before you can completely disable NTLM in your domain and switching to Kerberos, make sure that there are no apps left in the domain that require and use NTLM authentication.

To track accounts or apps that are using NTLM authentication, you can enable audit logging policies on all computers using GPO. In the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options section, find and enable the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy and set its value to Enable all.

Network Security: Restrict NTLM: Audit NTLM authentication in this domain

In the same way enable the policy Network Security: Restrict NTLM: Audit Incoming NTLM Traffic and set its value to Enable auditing for domain accounts.

Network Security: Restrict NTLM: Audit Incoming NTLM Traffic

After enabling these policies, the events of using NTLM authentication appear in the Application and Services Logs-> Microsoft -> Windows -> NTLM section of the Event Viewer.

You can analyze the events on each server or collect them to the central Windows Event Log Collector.

You need to search for the events from the source Microsoft-Windows-Security-Auditing with the Event ID 4624 – “An Account was successfully logged on“. Please note the information in the “Detailed Authentication Information” section. If there is NTLM in the Authentication Package value, than the NTLM protocol has been used to authenticate this user.

Look at the value of Package Name (NTLM only). This line shows, which protocol (LM, NTLMv1 or NTLMv2) has been used for authentication. Thus, you have to detect all servers/applications that are using the legacy protocol.

eventid 4624 source Microsoft-Windows-Security-Auditing ntlm usage

For example, to search for all NTLMv1 authentication events on all domain controllers, you can use the following PowerShell script:

$ADDCs = Get-ADDomainController -filter
$Now = Get-Date
$Yesterday = $Now.AddDays(-1)
$NewOutputFile = "c:\Events\$($Yesterday.ToString('yyyyddMM'))_AD_NTLMv1_events.log"
function GetEvents($DC){
Write-Host "Searching log on " $DC.HostName
$Events = Get-EventLog "Security" -After $Yesterday.Date -Before $Now.Date -ComputerName $DC.HostName -Message "*V1*" -instanceid 4624
foreach($Event in $Events){
Write-Host $DC.HostName $Event.EventID $Event.TimeGenerated
Out-File -FilePath $NewOutputFile -InputObject "$($Event.EventID), $($Event.MachineName), $($Event.TimeGenerated), $($Event.ReplacementStrings),($Event.message)" -Append
}
}
foreach($DC in $ADDCs){GetEvents($DC)}

After you have found users and applications that are using NTLM in your domain, try switching them to using Kerberos (possibly using SPN). Some applications require to be slightly reconfigured to use Kerberos authentication (see the articles Kerberos Authentication in IIS, How to configure different browsers for Kerberos authentication?). From my own experience, I see that even large commercial products are still using NTLM instead of Kerberos, some products require updates or configuration changes. It is all about detecting what apps are using NTLM authentication, and now you have the relevant method to identify this software and devices.

You need to use a DNS name of your server instead of its IP address for Kerberos authentication. If you specify the IP address when connecting to your resources, the NTLM authentication is used.

Those apps that cannot use Kerberos may be added to the exceptions. This will allow them to use NTLM authentication, even if it is disabled at the domain level. To do it, the Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain policy is used. Add the names of the servers, on which NTLM authentication can be used, to the list of exceptions as well. Ideally, this exception list should be empty. You can use the wildcard *.

GPO: Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain

How to Completely Restrict NTLM in Active Directory Domain?

To check how the authentication without NTLM will work for different apps in your domain, you can add user accounts to the “Protected Users” domain group (it is available since Windows Server 2012 R2). Members of this security group can authenticate only using Kerberos (NTLM, Digest Authentication or CredSSP are not allowed). Thus, you can verify if Kerberos user authentication works correctly in different apps.

Then you can completely disable NTLM on the Active Directory domain using the Network Security: Restrict NTLM: NTLM authentication in this domain policy.

The policy has 5 options:

  • Disable: the policy is disabled (NTLM authentication is allowed in the domain);
  • Deny for domain accounts to domain servers: the domain controllers deny NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error appears;
  • Deny for domain accounts: the domain controllers prevent NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears;
  • Deny for domain servers: NTLM authentication requests are forbidden for all servers unless the server name is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy;
  • Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

disable ntlm in domain GPO: Network Security: Restrict NTLM: NTLM authentication in this domain

To further improve the Active Directory security, I recommend to read these articles: Mitigations against Mimikatz Style Attacks, Securing of Priveleged Administrator Accounts, How to Disable LLMNR and NetBIOS over TCP/IP.

2 comments
3
Facebook Twitter Google + Pinterest
previous post
Unable to Unmount/Delete VMFS Datastore: The Resource Is in Use
next post
How to View and Parse WindowsUpdate.log on Windows 10 / Windows Server 2016?

Related Reading

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

Using TSADMIN.msc and TSCONFIG.msc Snap-Ins on Windows Server...

February 2, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

2 comments

Hardening settings for Domain Controllers - Original Network | IT Blog February 29, 2020 - 4:33 pm

[…] Event 4624 with data fields like “Authentication Package” and “Package name (NTLM only)” needs to be filtered. If you see something like NTLMV1 at Package Name. It shows you that there is an application still using NTLMv1. Disabling NTLM immediately can have broken an application. Make sure this is tested properly. […]

Reply
agus August 23, 2020 - 3:02 pm

i still counfuse to force workstation to use ntlmv2 or use kerberos, my office has been pentest and found backdoor from ntlmv1

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Troubleshoot, Repair and Rebuild the WMI Repository?

    March 2, 2021
  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top