NTLM (NT LAN Manager) has been used as the essential Microsoft authentication protocol for fairly a very long time: since Windows NT. Although Microsoft launched a safer Kerberos authentication protocol in Windows 2000, the NTLM (typically, it’s NTLMv2) continues to be extensively used for authentication on Windows area networks. In this text, we’ll contemplate how to disable NTLMv1 and NTLMv2 protocols and begin utilizing Kerberos in your Active Directory area.
The major NTLMv1 issues:
- weak encryption;
- storing password hash in the reminiscence of the LSA service that may be extracted utilizing totally different instruments (like ) after which the hash could also be used for additional assaults;
- the absence of mutual authentication between a server and a shopper that outcomes in information interception assaults and unauthorized entry to community sources (some instruments comparable to Responder can seize NTLM information despatched over the community and use them to entry the community sources);
- and different vulnerabilities.
Some of them had been mounted in the following model NTLMv2 which makes use of safer encryption algorithms and permits to stop fashionable NTLM assaults. NTLMv1 and LM authentification protocols are disabled by default beginning with Windows 7 / Windows Server 2008 R2.
Configuring GPO to Force NTLMv2
If you’ve considered stopping the usage of NTLM in your area, to begin with, it’s essential to just remember to usually are not utilizing its extra weak model – NTLMv1. Your community could have quite a few legacy units or companies which can be nonetheless utilizing NTLMv1 authentication as a substitute of NTLMv2 (or Kerberos). So, prior to disabling it utterly, learn the NTLM authentication occasion audit part in this text.
Small open supply merchandise, previous fashions of various community scanners (that save the scans to shared community folders), some NAS units and different previous , software program and OSs are probably to have the authentication issues when disabling NTLMv1.
First of all, the area administrator wants to ensure that the NTLM and LM protocols are prohibited to be used for authentication in area, since in some instances an attacker can use particular requests to obtain a response to an NTLM/LM request.
You can set the preffered authentication sort utilizing the area (or native) coverage. Open the Group Policy Management Editor (gpmc.msc) and edit the Default Domain Policy. Go to the GPO part Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and discover the coverage Network Security: LAN Manager authentication stage.
There are 6 choices in the coverage settings:
- Send LM & NTLM responses;
- Send LM & NTLM responses – use NTLMv2 session safety if negotiated;
- Send NTLM response solely;
- Send NTLMv2 response solely;
- Send NTLMv2 response solely. Refuse LM;
- Send NTLMv2 response solely. Refuse LM& NTLM.
The insurance policies of utilizing NTLM authentication are given in the order of their safety enchancment. By default, Windows 7 and newer OSs use the choice Send NTLMv2 response solely. If this feature is enabled, shopper computer systems use NTLMv2 authentication, however AD area controllers settle for LM, NTLM and NTLMv2 requests.
You can change the coverage worth to probably the most safe 6 choice : “Send NTLMv2 response solely. Refuse LM & NTLM”. If you configure this setting on a website controllers, they are going to reject all LM and NTLMv1 requests.
You may also disable NTLMv1 via the registry. To do it, create a DWORD parameter with the identify LmCompatibilityLevel and the worth Zero-5 in the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLsa. Value 5 corresponds to the coverage choice “Send NTLMv2 response solely. Refuse LM NTLM”.
Don’t neglect to apply this coverage to your area controllers.
If you’ve made positive that you’re not utilizing NTLMv1, you may go additional and take a look at to disable the NTLMv2. NTLMv2 is a safer authentication protocol, however it’s a lot behind Kerberos in phrases of safety (though there are fewer vulnerabilities in NTLMv2 than in the NTLMv1, however there may be nonetheless an opportunity of capturing and reusing information, in addition to it doesn’t assist mutual authentication).
The major threat of disabling NTLM is the potential utilization of legacy or incorrectly configured purposes that may nonetheless use NTLM authentication. In this case, you should have to replace or configure them in a particular approach to swap to Kerberos.
How to Enable NTLM Authentication Audit Logging?
Before you may utterly disable NTLM in your area and switching to Kerberos, ensure that there are not any apps left in the area that require and use NTLM authentication.
To observe accounts or apps which can be utilizing NTLM authentication, you may allow audit logging insurance policies on all computer systems utilizing GPO. In the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options part, discover and allow the Network Security: Restrict NTLM: Audit NTLM authentication in this area coverage and set its worth to Enable all.
In the identical approach allow the coverage Network Security: Restrict NTLM: Audit Incoming NTLM Traffic and set its worth to Enable auditing for area accounts.
After enabling these insurance policies, the occasions of utilizing NTLM authentication seem in the Application and Services Logs-> Microsoft -> Windows -> NTLM part of the Event Viewer.
You can analyze the occasions on every server or acquire them to the central Windows Event Log Collector.
You want to seek for the occasions from the supply Microsoft-Windows-Security-Auditing with the Event ID 4624 – “An Account was efficiently logged on“. Please notice the data in the “Detailed Authentication Information” part. If there may be NTLM in the Authentication Package worth, than the NTLM protocol has been used to authenticate this person.
Look on the worth of Package Name (NTLM solely). This line reveals, which protocol (LM, NTLMv1 or NTLMv2) has been used for authentication. Thus, you’ve to detect all servers/purposes which can be utilizing the legacy protocol.
For instance, to seek for all NTLMv1 authentication occasions on all area controllers, you need to use the next PowerShell script:
$ADDCs = Get-ADDomainController -filter
$Now = Get-Date
$Yesterday = $Now.AddDays(-1)
$NewOutputFile = "c:Events$($Yesterday.ToString('yyyyddMM'))_AD_NTLMv1_events.log"
foreach($DC in $ADDCs)
After you’ve discovered customers and purposes which can be utilizing NTLM in your area, attempt switching them to utilizing Kerberos (probably utilizing SPN). Some purposes require to be barely reconfigured to use Kerberos authentication (see the articles , ). From my very own expertise, I see that even massive industrial merchandise are nonetheless utilizing NTLM as a substitute of Kerberos, some merchandise require updates or configuration modifications. It is all about detecting what apps are utilizing NTLM authentication, and now you’ve the related technique to establish this software program and units.
You want to use a DNS identify of your server as a substitute of its IP handle for Kerberos authentication. If you specify the IP handle when connecting to your sources, the NTLM authentication is used.
Those apps that can’t use Kerberos could also be added to the exceptions. This will enable them to use NTLM authentication, even whether it is disabled on the area stage. To do it, the Network safety: Restrict NTLM: Add server exceptions for NTLM authentication in this area coverage is used. Add the names of the servers, on which NTLM authentication can be utilized, to the record of exceptions as nicely. Ideally, this exception record must be empty. You can use the wildcard *.
How to Completely Restrict NTLM in Active Directory Domain?
To verify how the authentication with out NTLM will work for various apps in your area, you may add person accounts to the “Protected Users” area group (it’s out there since Windows Server 2012 R2). Members of this safety group can authenticate solely utilizing Kerberos (NTLM, Digest Authentication or CredSSP usually are not allowed). Thus, you may confirm if Kerberos person authentication works appropriately in totally different apps.
Then you may utterly disable NTLM on the Active Directory area utilizing the Network Security: Restrict NTLM: NTLM authentication in this area coverage.
The coverage has 5 choices:
- Disable: the coverage is disabled (NTLM authentication is allowed in the area);
- Deny for area accounts to area servers: the area controllers deny NTLM authentication makes an attempt for all servers underneath the area accounts, and the “NTLM is blocked” error seems;
- Deny for area accounts: the area controllers stop NTLM authentication makes an attempt for all area accounts, and the “NTLM is blocked” error seems;
- Deny for area servers: NTLM authentication requests are forbidden for all servers until the server identify is on the exception record in the “Network safety: Restrict NTLM: Add server exceptions for NTLM authentication in this area” coverage;
- Deny all: the area controllers block all NTLM requests for all area servers and accounts.
To additional enhance the Active Directory safety, I like to recommend to learn these articles: , , .