To disable NTLM Authentication in Windows Domain we must ensure that we are not using a vulnerable version – NTLMv1.
Our network will have a number of legacy devices or services that will be using NTLMv1 authentication instead of NTLMv2 or Kerberos.
We must ensure that NTLM and LM protocols are prohibited to be in use only for authentication in the domain.
Because this will allow attackers to use special requests to receive a response to an NTLM/LM request.
Set the preferred authentication type using the domain (or local) policy:
1. Open the Group Policy Management Editor (gpmc.msc)
2. Edit the Default Domain Policy.
3. And go to the GPO section Computer Configurations
4. Select Policies
5. And then take Security Setting from Windows Settings
6. Then choose Local Policies -> Security Options
7. And find the policy Network Security: LAN Manager authentication level.
There are 6 options in the policy settings:
a. Send LM & NTLM response
b. Send LM & NTLM responses – use NTLMv2 session security if negotiated
c. Send NTLM response only
d. Send NTLMv2 response only
e. Send NTLMv2 response only. Refuse LM
f. Send NTLMv2 response only. Refuse LM& NTLM.
The policies of using NTLM authentication are given in the order of their security improvement.
By default, Windows 7 and newer OSes use the option Send NTLMv2 response only.
We can use NTLMv2 if the Kerberos protocol did not work, for some operations in workgroups.
We can change the policy value to the most secure 6 option: “Send NTLMv2 response only. Refuse LM & NTLM”.
If we configure this setting on domain controllers, it will reject all LM and NTLMv1 requests.
Steps to disable NTLMv1 through the registry
We can disable NTLM Authentication in Windows Domain through the registry by doing the following steps:
1. Create a DWORD parameter with the name LmCompatibilityLevel
2. And set the value 0-5 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa.
(Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.)
Do not forget to apply this policy to your domain controllers.
The main risk of disabling NTLM is the potential usage of legacy or incorrectly configured applications that can still use NTLM authentication.
We will have to configure them in a special way to switch to Kerberos.
Before we can completely disable NTLM in our domain and switching to Kerberos, we must ensure that there are no apps left in the domain that require and use NTLM authentication.
To track accounts or apps that are using NTLM authentication, you can enable audit logging policies using GPO.
Steps to enable audit logging policies using GPO
1. Go to Configuration -> Windows Settings.
2. Then take Security Settings and select Local Policie.
3. Take the Security Options section, find and enable the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy.
4. And set its value to Enable all.
5. In the same way, enable the policy Network Security: Restrict NTLM: Audit Incoming NTLM Traffic and set its value to Enable auditing for domain accounts.
Steps to check events of using NTLM authentication
The events of using NTLM authentication appear in the Application and Services Logs.
1. Go to Services Logs
2. Microsoft -> Windows
3. Take NTLM section of the Event Viewer.
We can analyze the events on each server or collect them to the central Windows Event Log Collector.
After we find out the users and applications that are using NTLM in the domain we need to switch them to use Kerberos (possibly using SPN).
We need to use the DNS name of the server instead of its IP address for Kerberos authentication.
The apps that cannot use Kerberos can be added to the exceptions. This will allow them to use NTLM authentication, even if it is disabled at the domain level.
Completely Restrict NTLM in Active Directory Domain
The authentication without NTLM will work differently for each application in our domain, we can add user accounts to the “Protected Users” domain group.
Members of this security group can authenticate only using Kerberos. After verifying this we can completely disable NTLM Authentication in the Windows domain.
We can use the Network Security: Restrict NTLM: NTLM authentication in this domain policy.
The policy has 5 options:
a. Disable: the policy is disabled (NTLM authentication is allowed in the domain)
b. Deny for domain accounts to domain servers: the domain controllers deny NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error appears
c. Deny for domain accounts: the domain controllers prevent NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears
d. Deny for domain servers: NTLM authentication requests are forbidden for all servers unless the server name is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy
e. Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.