To Install Hyper-V Role in Windows 10 VM under VMWare ESXi we need to provide Nested Virtualization which allows running a hypervisor inside a virtual machine running on another hypervisor.
As part of our Server Management Services, we assist our customers to get Hyper-V Role installed on Windows 10 VM under VMWare ESXi.
Today, let’s see some of its benefits and how our Support Engineers gets this done.
To disable NTLM Authentication in Windows Domain we must ensure that we are not using a vulnerable version – NTLMv1.
Our network will have a number of legacy devices or services that will be using NTLMv1 authentication instead of NTLMv2 or Kerberos.
We must ensure that NTLM and LM protocols are prohibited to be in use only for authentication in the domain.
Because this will allow attackers to use special requests to receive a response to an NTLM/LM request.
Set the preferred authentication type using the domain (or local) policy:
1. Open the Group Policy Management Editor (gpmc.msc)
2. Edit the Default Domain Policy.
3. And go to the GPO section Computer Configurations
4. Select Policies
5. And then take Security Setting from Windows Settings
6. Then choose Local Policies -> Security Options
7. And find the policy Network Security: LAN Manager authentication level.
There are 6 options in the policy settings:
a. Send LM & NTLM response
b. Send LM & NTLM responses – use NTLMv2 session security if negotiated
c. Send NTLM response only
d. Send NTLMv2 response only
e. Send NTLMv2 response only. Refuse LM
f. Send NTLMv2 response only. Refuse LM& NTLM.
The policies of using NTLM authentication are given in the order of their security improvement.
By default, Windows 7 and newer OSes use the option Send NTLMv2 response only.
We can use NTLMv2 if the Kerberos protocol did not work, for some operations in workgroups.
We can change the policy value to the most secure 6 option: “Send NTLMv2 response only. Refuse LM & NTLM”.
If we configure this setting on domain controllers, it will reject all LM and NTLMv1 requests.
Steps to disable NTLMv1 through the registry
We can disable NTLM Authentication in Windows Domain through the registry by doing the following steps:
1. Create a DWORD parameter with the name LmCompatibilityLevel
2. And set the value 0-5 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa.
(Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.)
Do not forget to apply this policy to your domain controllers.
The main risk of disabling NTLM is the potential usage of legacy or incorrectly configured applications that can still use NTLM authentication.
We will have to configure them in a special way to switch to Kerberos.
Before we can completely disable NTLM in our domain and switching to Kerberos, we must ensure that there are no apps left in the domain that require and use NTLM authentication.
To track accounts or apps that are using NTLM authentication, you can enable audit logging policies using GPO.
Steps to enable audit logging policies using GPO
1. Go to Configuration -> Windows Settings.
2. Then take Security Settings and select Local Policie.
3. Take the Security Options section, find and enable the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy.
4. And set its value to Enable all.
5. In the same way, enable the policy Network Security: Restrict NTLM: Audit Incoming NTLM Traffic and set its value to Enable auditing for domain accounts.
Steps to check events of using NTLM authentication
The events of using NTLM authentication appear in the Application and Services Logs.
1. Go to Services Logs
2. Microsoft -> Windows
3. Take NTLM section of the Event Viewer.
We can analyze the events on each server or collect them to the central Windows Event Log Collector.
After we find out the users and applications that are using NTLM in the domain we need to switch them to use Kerberos (possibly using SPN).
We need to use the DNS name of the server instead of its IP address for Kerberos authentication.
The apps that cannot use Kerberos can be added to the exceptions. This will allow them to use NTLM authentication, even if it is disabled at the domain level.
Completely Restrict NTLM in Active Directory Domain
The authentication without NTLM will work differently for each application in our domain, we can add user accounts to the “Protected Users” domain group.
Members of this security group can authenticate only using Kerberos. After verifying this we can completely disable NTLM Authentication in the Windows domain.
We can use the Network Security: Restrict NTLM: NTLM authentication in this domain policy.
The policy has 5 options:
a. Disable: the policy is disabled (NTLM authentication is allowed in the domain)
b. Deny for domain accounts to domain servers: the domain controllers deny NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error appears
c. Deny for domain accounts: the domain controllers prevent NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears
d. Deny for domain servers: NTLM authentication requests are forbidden for all servers unless the server name is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy
e. Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.
[Looking for assistance to disable NTLM on Windows server? We are here for you!]
Conclusion
To conclude, disabling NTLM authentication makes the Windows domain less vulnerable. In this article, we saw the steps taken by our Experienced Support Techs to disable NTLM
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
Enjoy 50% off for the first bill with this coupon code 🙂
BLACKFRIDAY50
Enjoy 25% off on your first bill with this coupon code 🙂
[Halloween_custom_coupon]
An SVG vector image is included that allows you to edit or scale the image to any size you want.
We work with you to create original designs that represent your brand and company. We make multiple concepts so that you can choose the one that’s ideal for you.
Our designers work closely with you to revise the chosen design concept until you get the best logo to represent your company.
The logo is given in PNG and JPEG in all popular sizes randing from 300px to 10,000px. We can also give you custom image sizes.
The logo is provided in EPS and PDF formats which is ideally suited for printing on paper, cloth, banner, etc.
Source file in AI format is provided in case you want to use Adobe Illustrator to edit the image later.
The logo source is provided in Adobe Photoshop compatible PSD format.
Dark-on-light and Light-on-dark versions of the image is provided so that your logo looks good on any background.
Dual tone version of your image.
A guideline on how to use your logo so that it’ll remain clear and vivid in all settings and media. See FAQ for more info.
A small icon for your website optimized to be shown on the browser address bar.
An icon customized to be shown in an Android or iOS app.
Professionally designed profile picture for your social media account.
Professionally designed cover photo that highlights the logo.
A beautiful email signature that’ll showcase your company name and logo in the mails you send to your customers and prospective customers.