Bobcares

How to disable NTLM Authentication in Windows Domain?

by | Dec 5, 2020

At Bobcares we often get requests to disable NTLM Authentication in Windows Domain and enable Kerberos instead for our customers.

NTLM (NT LAN Manager) is a basic Microsoft authentication protocol and is in use since Windows NT.

However, some tools such as Responder can capture NTLM data sent over the network and use them to access the network resources.

As a part of Server Management Services, our support engineers handle these requests with ease with some simple steps.

 

Why disable NTLMv1 Authentication in Windows Domain?

Windows 2000 Microsoft introduced a more secure Kerberos authentication protocol.

The NTLM (generally, it is NTLMv2) is still widely in use for authentication on Windows domain networks.

We recommend disabling NTLMv1 and NTLMv2 protocols and use Kerberos due to the following reasons:

  1. NTLM has very weak encryption

2. NTLM stores password hash in the memory of the LSA service, which can be extracted using different tools and then used by attackers.

3. The absence of mutual authentication between a server and a client will result in data interception attacks

4. It will allow unauthorized access to network resources.

Version NTLMv2 uses more secure encryption algorithms and allows for preventing popular NTLM attacks.

NTLMv1 and LM authentication protocols are disabled by default starting with Windows 7/Windows Server 2008 R2.

Thus, it’s recommended to disable  NTLM Authentication in Windows Domain.

[Need further assistance? We are here for you!]

Configuring GPO to Force NTLMv2

To disable NTLM Authentication in Windows Domain we must ensure that we are not using a vulnerable version – NTLMv1.

Our network will have a number of legacy devices or services that will be using NTLMv1 authentication instead of NTLMv2 or Kerberos.

We must ensure that  NTLM and LM protocols are prohibited to be in use only for authentication in the domain.

Because this will allow attackers to use special requests to receive a response to an NTLM/LM request.

Set the preferred authentication type using the domain (or local) policy:

1. Open the Group Policy Management Editor (gpmc.msc)

disable NTLM authentication in windows domain

2. Edit the Default Domain Policy.

3. And  go to the GPO section Computer Configurations

4. Select Policies

5. And then take Security Setting from Windows Settings

6. Then choose Local Policies -> Security Options

7. And find the policy Network Security: LAN Manager authentication level.

There are 6 options in the policy settings:

a. Send LM & NTLM response

b. Send LM & NTLM responses – use NTLMv2 session security if negotiated

c. Send NTLM response only

d. Send NTLMv2 response only

e. Send NTLMv2 response only. Refuse LM

f. Send NTLMv2 response only. Refuse LM& NTLM.

 

The policies of using NTLM authentication are given in the order of their security improvement.

By default, Windows 7 and newer OSes use the option Send NTLMv2 response only.

We can use NTLMv2  if the Kerberos protocol did not work, for some operations in workgroups.

We can change the policy value to the most secure 6 option: “Send NTLMv2 response only. Refuse LM & NTLM”.

If we configure this setting on domain controllers, it will reject all LM and NTLMv1 requests.

Steps to disable NTLMv1 through the registry

We can disable NTLM Authentication in Windows Domain through the registry  by doing the following steps:

1. Create a DWORD parameter with the name LmCompatibilityLevel

2. And set the value 0-5 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa.

(Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.)

Do not forget to apply this policy to your domain controllers.

The main risk of disabling NTLM is the potential usage of legacy or incorrectly configured applications that can still use NTLM authentication.

We will have to configure them in a special way to switch to Kerberos.

[Need further assistance? We are here for you!]

How to Enable NTLM Authentication Audit Logging

Before we can completely disable NTLM in our domain and switching to Kerberos, we must ensure that there are no apps left in the domain that require and use NTLM authentication.

To track accounts or apps that are using NTLM authentication, you can enable audit logging policies using GPO.

 

Steps to enable audit logging policies using GPO

1. Go to Configuration -> Windows Settings.

2. Then take Security Settings and select  Local Policie.

3. Take the Security Options section, find and enable the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy.

4. And set its value to Enable all.

disable NTLM authentication in windows domain

5. In the same way, enable the policy Network Security: Restrict NTLM: Audit Incoming NTLM Traffic and set its value to Enable auditing for domain accounts.

Steps to check events of using NTLM authentication

The events of using NTLM authentication appear in the Application and Services Logs.

1. Go to Services Logs

2. Microsoft -> Windows

3. Take  NTLM section of the Event Viewer.

We can analyze the events on each server or collect them to the central Windows Event Log Collector.

After we find out the users and applications that are using NTLM in the domain we need to switch them to use Kerberos (possibly using SPN).

We need to use the DNS name of the server instead of its IP address for Kerberos authentication.

The apps that cannot use Kerberos can be added to the exceptions. This will allow them to use NTLM authentication, even if it is disabled at the domain level.

Completely Restrict NTLM in Active Directory Domain

The authentication without NTLM will work differently for each application in our domain, we can add user accounts to the “Protected Users” domain group.

Members of this security group can authenticate only using Kerberos.  After verifying this we can completely disable NTLM Authentication in the Windows domain.

We can use the Network Security: Restrict NTLM: NTLM authentication in this domain policy.

The policy has 5 options:

a. Disable: the policy is disabled (NTLM authentication is allowed in the domain)

b. Deny for domain accounts to domain servers: the domain controllers deny NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error appears

c. Deny for domain accounts: the domain controllers prevent NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears

d. Deny for domain servers: NTLM authentication requests are forbidden for all servers unless the server name is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy

e. Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

 

[Looking for assistance to disable NTLM on Windows server? We are here for you!]

 

Conclusion

To conclude, disabling NTLM authentication makes the Windows domain less vulnerable. In this article, we saw the steps taken by our Experienced Support Techs to disable NTLM

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF