Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / How to Disable NTLM Authentication in Windows Domain?

September 24, 2019 Active DirectoryGroup PoliciesSecurityWindows Server 2012 R2

How to Disable NTLM Authentication in Windows Domain?

NTLM (NT LAN Manager) has been used as the basic Microsoft authentication protocol for quite a long time: since Windows NT. Although Microsoft introduced a more secure Kerberos authentication protocol in Windows 2000, the NTLM (generally, it is NTLMv2) is still widely used for authentication on Windows domain networks. In this article, we’ll consider how to disable NTLMv1 and NTLMv2 protocols and start using Kerberos in your Active Directory domain.

The main NTLMv1 problems:

  • weak encryption;
  • storing password hash in the memory of the LSA service that can be extracted using different tools (like mimikatz) and then the hash may be used for further attacks;
  • the absence of mutual authentication between a server and a client that results in data interception attacks and unauthorized access to network resources (some tools such as Responder can capture NTLM data sent over the network and use them to access the network resources);
  • and other vulnerabilities.

Some of them were fixed in the next version NTLMv2 which uses more secure encryption algorithms and allows to prevent popular NTLM attacks. NTLMv1 and LM authentification protocols are disabled by default starting with Windows 7 / Windows Server 2008 R2.

Contents:
  • Configuring GPO to Force NTLMv2
  • How to Enable NTLM Authentication Audit Logging?
  • How to Completely Restrict NTLM in Active Directory Domain?

Configuring GPO to Force NTLMv2

If you have thought about stopping the use of NTLM in your domain, first of all, you must make sure that you are not using its more vulnerable version – NTLMv1. Your network may have a number of legacy devices or services that are still using NTLMv1 authentication instead of NTLMv2 (or Kerberos). So, prior to disabling it completely, read the NTLM authentication event audit section in this article.

Small open source products, old models of different network scanners (that save the scans to shared network folders), some NAS devices and other old hardware, software and OSs are likely to have the authentication problems when disabling NTLMv1.

First of all, the domain administrator needs to make sure that the NTLM and LM protocols are prohibited to be used for authentication in domain, since in some cases an attacker can use special requests to receive a response to an NTLM/LM request.

You can set the preffered authentication type using the domain (or local) policy. Open the Group Policy Management Editor (gpmc.msc) and edit the Default Domain Policy. Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policy Network Security: LAN Manager authentication level.

Network Security: LAN Manager authentication level - disable ntlm v1 and lm

There are 6 options in the policy settings:

  1. Send LM & NTLM responses;
  2. Send LM & NTLM responses – use NTLMv2 session security if negotiated;
  3. Send NTLM response only;
  4. Send NTLMv2 response only;
  5. Send NTLMv2 response only. Refuse LM;
  6. Send NTLMv2 response only. Refuse LM& NTLM.

The policies of using NTLM authentication are given in the order of their security improvement. By default, Windows 7 and newer OSs use the option Send NTLMv2 response only. If this option is enabled, client computers use NTLMv2 authentication, but AD domain controllers accept LM, NTLM and NTLMv2 requests.

NTLMv2 can be used if Kerberos protocol didn’t work, for some operations (for example, when managing local groups and accounts on domain-joined computers) or in workgroups.

You can change the policy value to the most secure 6 option : “Send NTLMv2 response only. Refuse LM & NTLM”. If you configure this setting on a domain controllers, they will reject all LM and NTLMv1 requests.

You can also disable NTLMv1 through the registry. To do it, create a DWORD parameter with the name LmCompatibilityLevel and the value 0-5 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.

Make sure that the Network security: Do not store LAN Manager hash value on next password change policy is enabled in the same GPO section. It is enabled by default starting with Windows Vista / Windows Server 2008 and prevents creating LM hash.

Network security: Do not store LAN Manager hash value on next password change

Don’t forget to apply this policy to your domain controllers.

If you have made sure that you are not using NTLMv1, you can go further and try to disable the NTLMv2. NTLMv2 is a more secure authentication protocol, but it is much behind Kerberos in terms of security (although there are fewer vulnerabilities in NTLMv2 than in the NTLMv1, but there is still a chance of capturing and reusing data, as well as it doesn’t support mutual authentication).

The main risk of disabling NTLM is the potential usage of legacy or incorrectly configured applications that can still use NTLM authentication. In this case, you will have to update or configure them in a special way to switch to Kerberos.

How to Enable NTLM Authentication Audit Logging?

Before you can completely disable NTLM in your domain and switching to Kerberos, make sure that there are no apps left in the domain that require and use NTLM authentication.

To track accounts or apps that are using NTLM authentication, you can enable audit logging policies on all computers using GPO. In the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options section, find and enable the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy and set its value to Enable all.

Network Security: Restrict NTLM: Audit NTLM authentication in this domain

In the same way enable the policy Network Security: Restrict NTLM: Audit Incoming NTLM Traffic and set its value to Enable auditing for domain accounts.

Network Security: Restrict NTLM: Audit Incoming NTLM Traffic

After enabling these policies, the events of using NTLM authentication appear in the Application and Services Logs-> Microsoft -> Windows -> NTLM section of the Event Viewer.

You can analyze the events on each server or collect them to the central Windows Event Log Collector.

You need to search for the events from the source Microsoft-Windows-Security-Auditing with the Event ID 4624 – “An Account was successfully logged on“. Please note the information in the “Detailed Authentication Information” section. If there is NTLM in the Authentication Package value, than the NTLM protocol has been used to authenticate this user.

Look at the value of Package Name (NTLM only). This line shows, which protocol (LM, NTLMv1 or NTLMv2) has been used for authentication. Thus, you have to detect all servers/applications that are using the legacy protocol.

eventid 4624 source Microsoft-Windows-Security-Auditing ntlm usage

For example, to search for all NTLMv1 authentication events on all domain controllers, you can use the following PowerShell script:

$ADDCs = Get-ADDomainController -filter
$Now = Get-Date
$Yesterday = $Now.AddDays(-1)
$NewOutputFile = "c:\Events\$($Yesterday.ToString('yyyyddMM'))_AD_NTLMv1_events.log"
function GetEvents($DC){
Write-Host "Searching log on " $DC.HostName
$Events = Get-EventLog "Security" -After $Yesterday.Date -Before $Now.Date -ComputerName $DC.HostName -Message "*V1*" -instanceid 4624
foreach($Event in $Events){
Write-Host $DC.HostName $Event.EventID $Event.TimeGenerated
Out-File -FilePath $NewOutputFile -InputObject "$($Event.EventID), $($Event.MachineName), $($Event.TimeGenerated), $($Event.ReplacementStrings),($Event.message)" -Append
}
}
foreach($DC in $ADDCs){GetEvents($DC)}

After you have found users and applications that are using NTLM in your domain, try switching them to using Kerberos (possibly using SPN). Some applications require to be slightly reconfigured to use Kerberos authentication (see the articles Kerberos Authentication in IIS, How to configure different browsers for Kerberos authentication?). From my own experience, I see that even large commercial products are still using NTLM instead of Kerberos, some products require updates or configuration changes. It is all about detecting what apps are using NTLM authentication, and now you have the relevant method to identify this software and devices.

You need to use a DNS name of your server instead of its IP address for Kerberos authentication. If you specify the IP address when connecting to your resources, the NTLM authentication is used.

Those apps that cannot use Kerberos may be added to the exceptions. This will allow them to use NTLM authentication, even if it is disabled at the domain level. To do it, the Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain policy is used. Add the names of the servers, on which NTLM authentication can be used, to the list of exceptions as well. Ideally, this exception list should be empty. You can use the wildcard *.

GPO: Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain

How to Completely Restrict NTLM in Active Directory Domain?

To check how the authentication without NTLM will work for different apps in your domain, you can add user accounts to the “Protected Users” domain group (it is available since Windows Server 2012 R2). Members of this security group can authenticate only using Kerberos (NTLM, Digest Authentication or CredSSP are not allowed). Thus, you can verify if Kerberos user authentication works correctly in different apps.

Then you can completely disable NTLM on the Active Directory domain using the Network Security: Restrict NTLM: NTLM authentication in this domain policy.

The policy has 5 options:

  • Disable: the policy is disabled (NTLM authentication is allowed in the domain);
  • Deny for domain accounts to domain servers: the domain controllers deny NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error appears;
  • Deny for domain accounts: the domain controllers prevent NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears;
  • Deny for domain servers: NTLM authentication requests are forbidden for all servers unless the server name is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy;
  • Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

disable ntlm in domain GPO: Network Security: Restrict NTLM: NTLM authentication in this domain

To further improve the Active Directory security, I recommend to read these articles: Mitigations against Mimikatz Style Attacks, Securing of Priveleged Administrator Accounts, How to Disable LLMNR and NetBIOS over TCP/IP.

11 comments
5
Facebook Twitter Google + Pinterest
previous post
Unable to Unmount/Delete VMFS Datastore: The Resource Is in Use
next post
How to View and Parse WindowsUpdate.log on Windows 10 / Windows Server 2016?

Related Reading

How to Install the PowerShell Active Directory Module...

January 31, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

11 comments

Hardening settings for Domain Controllers - Original Network | IT Blog February 29, 2020 - 4:33 pm

[…] Event 4624 with data fields like “Authentication Package” and “Package name (NTLM only)” needs to be filtered. If you see something like NTLMV1 at Package Name. It shows you that there is an application still using NTLMv1. Disabling NTLM immediately can have broken an application. Make sure this is tested properly. […]

Reply
agus August 23, 2020 - 3:02 pm

i still counfuse to force workstation to use ntlmv2 or use kerberos, my office has been pentest and found backdoor from ntlmv1

Reply
Marcin March 9, 2021 - 1:34 pm

I think the last picture shows a wrong setting based on where it is placed, isn’t it?

Reply
Edward Burlakov November 7, 2022 - 3:35 pm

You are right completely! There musnt be word “Audi” in header on the last screenshot .

Reply
Eric May 6, 2021 - 1:49 am

Thanks for tips guys!

The correct registry key for “LMCompatibilityLevel” entry in Secpol.msc is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Reply
admin May 6, 2021 - 6:00 am

Thanks for your clarification! I corrected the registry key in the article

Reply
Piosk October 19, 2021 - 7:53 am

I am confused . Which policy should I modify Default Domain or Default Domain Controller ?

Reply
admin October 26, 2021 - 11:17 am

Use the Default Domain Controllers Policy in order to restrict ntlm usage on DCs.

Reply
Jamie November 10, 2021 - 7:49 pm

I would like to suggest some different code to run against your domain to get the events around NTLM:
# must be run from a DC for the domain controllers you want to collect with the same credentials
# example enpro domain iad0dc05.enproindustries.com enproadmin10
# example login domain iad0dc06.login.enproindustries.com jl-admin
$ADDCs = Get-ADDomainController -filter *
$desktop = [Environment]::GetFolderPath(“Desktop”)
$Now = Get-Date
$Yesterday = $Now.AddDays(-1)
# 6 hours
$Query = @’

*[System[(EventID=4776 or EventID=4624) and TimeCreated[timediff(@SystemTime) <= 21600000]]]

‘@

$NewOutputFile = “$desktop\$($Yesterday.ToString(‘yyyyddMM’))_AD_NTLMv1_events.log”
function GetEvents($DC){
Write-Host “Searching log on ” $DC.HostName
#$Events = Get-EventLog “Security” -After $Yesterday.Date -Before $Now.Date -ComputerName $DC.HostName -Message “*V1*” -instanceid 4624
$Events2 = Get-WinEvent -ComputerName $DC.HostName -FilterXML $Query | Where {$_.Message -like “*V1*”}| Select TimeCreated, Id, MachineName,userID,message
foreach($Event in $Events2){
Write-Host $DC.HostName $Event.ID $Event.TimeCreated
# Out-File -FilePath $NewOutputFile -InputObject “$($Event.EventID), $($Event.MachineName), $($Event.TimeGenerated), $($Event.ReplacementStrings),($Event.message)” -Append
Out-File -FilePath $NewOutputFile -InputObject “$($Event.ID), $($Event.MachineName), $($Event.Timecreated), ($Event.message)” -Append
}
}
foreach($DC in $ADDCs){GetEvents($DC)}

In the Query I just added but have not tested yet this portion: EventID=4776 or

Reply
Jamie November 10, 2021 - 7:51 pm

Of course I left in some comments which should have probably not been included. Please remove these if you have the ability.

Reply
CRB February 15, 2022 - 4:47 pm

EventId 8002 en 8004 are probably a better choice to search the NTLM audit events. They have an own event box in eventviewer Microsoft > windows > NTLM

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Active Directory Dynamic User Groups with PowerShell
  • Auditing Weak Passwords in Active Directory
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top