Disable NTLM KB ID 0001880
Problem
NTLM (NT LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users in a network. It is an older protocol that has been largely replaced by Kerberos, (since Server 2008 and windows Vista!) In modern Windows environments due to its enhanced security features. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on a network. It operates in three versions: NTLMv1, NTLMv2, and NTLMv2 Session Security.
Key Components
Authentication Process:
-
- Challenge-Response Mechanism: NTLM uses a challenge-response mechanism where the server challenges the client, and the client responds with a value that proves its knowledge of the user’s password.
- Session Security: Provides confidentiality (encryption) and integrity (signing) for data sent over the network.
NTLM Versions:
-
- NTLMv1:
- Uses DES (Data Encryption Standard) for encryption.
- The client sends a hashed password, and the server compares it to the stored hash.
- Known for its vulnerabilities, including susceptibility to replay attacks and weak password hashes (LM hashes).
- NTLMv2:
- Introduced to address the security shortcomings of NTLMv1.
- Uses HMAC-MD5 for cryptographic operations.
- Provides stronger encryption and better resistance to replay attacks.
- Supports mutual authentication where both client and server authenticate each other.
- NTLMv2 Session Security:
- Provides additional security by creating a session key based on both client and server challenge-response pairs.
- Ensures integrity and confidentiality for the session.
- NTLMv1:
Components of NTLM:
-
- User Authentication: Verifies the identity of a user or system requesting access.
- Message Integrity: Ensures that messages are not tampered with during transmission.
- Message Confidentiality: Encrypts messages to protect sensitive information.
Security Weaknesses
- NTLMv1:
- Weak Hashing (LM Hash): The LM hash is derived from passwords in a way that is susceptible to brute-force attacks.
- Replay Attacks: Can be exploited to reuse valid authentication tokens.
- Lack of Mutual Authentication: Only the client is authenticated, not the server.
- NTLMv2:
- Improved but Still Vulnerable: While it significantly improves upon NTLMv1, it is still not as secure as Kerberos and can be vulnerable to certain types of attacks, especially in environments where NTLMv1 is still supported for backward compatibility.
Deprecation and Modern Alternatives
- Kerberos: Introduced in Windows 2000, Kerberos provides stronger security features, including mutual authentication, and is now the default authentication protocol in Active Directory environments.
- Recommendations: Organizations are encouraged to disable NTLM where possible, particularly NTLMv1, and to use Kerberos or other modern authentication protocols.
In Summary
NTLM played a crucial role in early Windows network security, providing a means of authenticating users and securing communications. However, due to its security vulnerabilities, especially in NTLMv1, it has been largely replaced by more secure protocols like Kerberos. NTLMv2 offers improvements but is still not as robust as modern alternatives, making it advisable for organizations to phase out NTLM in favour of stronger authentication methods.
As of Jun 2024 Microsoft has declared that NTLM (all versions) are depreciated.
Solution : Disable NTLM
Developers are being encouraged to STOP using NTLM, and the advice is to set your systems to ONLY use NTLM if Kerberos is not available. You first challenge is to find out what (if anything) is still using NTLM.
On your server(s) look in the (Security) Event logs for Event ID 4624 That mentions NTLM.
But there’s thousands of Event ID 4624 events, so let’s narrow the search with some PowerShell.
[box]
$query= @" <QueryList> <Query Id="0"> <Select Path="Security"> *[System[(EventID='4624')]] and *[EventData[Data[@Name='AuthenticationPackageName'] and (Data='NTLM')]] </Select> </Query> </QueryList> "@ Get-WinEvent -FilterXml $query
[/box]
Now I can review each of those events (by their time stamp!) and I’ve only got two offenders to investigate.
You can also have a reconnoitre with WireShark, and scan for ntlmssp.
Disable NTLM v1
It’s considered best practice to disable NTLM version 1 first, then wait for a while (a period of a few weeks,) then you can attempt to disable NTLM version 2 also.
Edit the Default Domain Controller Policy and Navigate to.
[box]
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network Security: LAN Manager Authentication Level
[/box]
Settings;
- Send LM and NTLM responses
- Send LM and NTLM (use NTLMv2 session security if negotiated)
- Send NTLM response only
- Send NTLMv2 response only
- Send NTLMv2 response only, Refuse LM: Domain controllers offer only NTLMv2 but still accept NTLMv1 authentication.
- Send NTLMv2 response only, Refuse LM and NTLM: Domain controllers refuse LM and NTLMv1, accepting only NTLMv2.
To keep NTLM v2 and disable NTLM v1 choose the last option.
WARNING: This will effectively tattoo this setting into registry of the domain controller(s), even if you have a problem and revert the setting back to not defined, it will remain. If that happens to you, you can manually change the setting in the registry at.
[box]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
[/box]
There’s six settings (0 to 5) that correspond to the ones in the group policy for further information see this article.
Disable NTLM Completely
Before proceeding its a good idea to enable the “Restrict NTLM: Audit NTLM authentication in this domain” policy then waiting a while longer and reviewing the logs, if something does appear you can simply add it to the “Restrict NTLM: Add server exceptions in this domain” policy
This time in the default domain controller’s policy navigate to.
[box]
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network Security: Restrict NTLM: NTLM authentication in this domain
[/box]
- Disable: the policy is disabled (NTLM authentication is allowed in the domain).
- Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed.
- Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears.
- Deny for domain servers: NTLM authentication requests are denied for all servers unless the servername is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy.
- Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.
To stop client computers attempting to connect with NTLM you can edit the Default Domain Policy.
- Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all
Related Articles, References, Credits, or External Links
NA