Skip to content

Disabling NTLM v1 on Windows desktops

What is NTLM ?

NTLM (NT LAN Manager) is a suite of security protocols used in Microsoft Windows environments to provide authentication, integrity, and confidentiality. It has been around since the early versions of Windows and is now considered a legacy protocol. NTLM is used for authenticating clients and servers in a Windows network but is gradually being replaced by more secure authentication protocols like Kerberos. Key Components:

Authentication: NTLM uses a challenge-response mechanism to authenticate a user without sending the password over the network. Instead, a hashed version of the password is sent, which is vulnerable to hashing attacks like pass-the-hash.

Versions: - NTLMv1: The original version, now considered weak due to its vulnerability to various attacks. - NTLMv2: A stronger, more secure version with improvements in the hashing and challenge-response mechanisms, though still less secure than modern protocols like Kerberos.

NTLM is Used When: Legacy systems or applications require it. The network does not support Kerberos (for example, workgroup computers or older systems). For local authentication scenarios or when systems are not part of an Active Directory domain.

Vulnerabilities:

NTLM is vulnerable to various attacks such as:

Pass-the-Hash: Where attackers steal hashed passwords and use them to impersonate users. Relay Attacks: Where attackers intercept and relay authentication requests to gain unauthorized access.

Exploitation

A well-known example of a successful NTLMv1 vulnerability exploitation occurred through the SMB relay attack technique. NTLMv1, due to its weaker encryption mechanisms and shorter hash lengths, has been exploited by attackers to gain unauthorized access to systems. One such vulnerability was CVE-2017-0144, associated with the EternalBlue exploit, which targeted the SMBv1 protocol but also highlighted the risks of weak authentication methods like NTLMv1. Note that EternalBlue is the vulnerability used by the worm Wannacry

In this attack, NTLMv1 hashes could be captured and used in Pass-the-Hash or relay attacks, allowing attackers to authenticate on target systems without needing the plaintext password. The weakness of NTLMv1 encryption made it relatively easy for attackers to decrypt or relay the authentication attempt.

Another relevant example comes from CVE-2019-1040, where Microsoft patched vulnerabilities that allowed NTLM relay attacks through manipulation of NTLM authentication requests. These exploits involved downgrading NTLMv2 to NTLMv1 or bypassing relay mitigations.

References:

Mitigation

Force NTLMv2 on Windows desktops

https://woshub.com/disable-ntlm-authentication-windows/

Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policy Network Security: LAN Manager authentication level.

Network Security: LAN Manager authentication level - disable ntlm v1 and lm

There are 6 options to choose from in the policy settings::

Send LM & NTLM responses;
Send LM & NTLM responses – use NTLMv2 session security if negotiated;
Send NTLM response only;
Send NTLMv2 response only;
Send NTLMv2 response only. Refuse LM;
Send NTLMv2 response only. Refuse LM& NTLM.

The NTLM authentication options are listed in the order of their security improvement. By default, Windows 7 and later operating systems use the option Send NTLMv2 response only. If this option is enabled, client computers use NTLMv2 authentication, but AD domain controllers accept LM, NTLM, and NTLMv2 requests.