Silverfort’s cybersecurity research team has uncovered a significant flaw in Microsoft’s Active Directory Group Policy that allows NTLMv1 authentication to persist despite being ostensibly disabled.
This discovery highlights a critical vulnerability where misconfigured on-premises applications can bypass the Group Policy settings intended to block the use of the outdated and insecure NTLMv1 protocol.
NTLM (New Technology LAN Manager) is an authentication protocol widely used in Windows environments.
However, its first version, NTLMv1, is known for its severe security vulnerabilities, including susceptibility to brute-force attacks, credential theft, and relay attacks.
Bypassing Group Policy to Enable NTLMv1
Despite Microsoft’s efforts to phase out NTLMv1, Silverfort’s findings demonstrate that attackers can exploit a configuration loophole in the Netlogon Remote Protocol (MS-NRPC).
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
By leveraging a specific flag in the `NETLOGON_LOGON_IDENTITY_INFO` structure, attackers can enable NTLMv1 authentication even when Group Policy explicitly disables it.
This issue is particularly concerning because many organizations rely on Group Policy to enforce security measures.
The bypass creates a false sense of security, leaving networks vulnerable to attacks such as lateral movement and privilege escalation.
Alarmingly, Silverfort reports that 64% of Active Directory user accounts still authenticate using NTLM protocols, underscoring the widespread risk.
Organizations using third-party or custom-built on-premises applications are most at risk. Non-Windows devices, such as macOS systems connecting to enterprise applications, are also vulnerable.
For example, if a Mac device connects to a banking application configured to use NTLMv1, an attacker could intercept and exploit the authentication traffic.
The implications of this vulnerability are severe:
– Credential Theft: Attackers can intercept NTLMv1 traffic and crack user credentials offline due to its weak cryptographic protections.
– Lateral Movement: Once credentials are compromised, attackers can move laterally within the network.
– Privilege Escalation: Stolen credentials may grant unauthorized access to sensitive systems or administrative privileges.
Silverfort demonstrated this vulnerability through a proof-of-concept (PoC), showing how an attacker could emulate an application bypassing the Group Policy restrictions.
Although Microsoft Security Response Center (MSRC) did not classify this issue as a vulnerability, it has taken proactive measures.
Starting with Windows 11 version 24H2 and Windows Server 2025, Microsoft announced the complete removal of NTLMv1 support.
This move aims to eliminate legacy risks associated with the outdated protocol
NTLM has long been criticized for its outdated cryptographic methods and lack of modern security features like multi-factor authentication (MFA) and server identity validation.
Over the years, numerous vulnerabilities have been exploited in NTLM protocols:
– Relay Attacks: Attackers intercept authentication requests and relay them to gain unauthorized access.
– Hash Cracking: NTLMv1’s short hash length makes it particularly vulnerable to brute-force attacks.
– Zero-Day Exploits: Recent attacks have leveraged NTLM vulnerabilities for malware delivery and system compromise.
Despite these risks, legacy systems and compatibility requirements have prolonged NTLM’s use in many organizations.
Mitigation Strategies
To address this issue, organizations should take immediate steps:
1. Enable Audit Logging: Monitor all NTLM authentication attempts within the domain.
2. Map Applications Using NTLM: Identify applications that rely on NTLM authentication and assess their configurations.
3. Detect Vulnerable Applications: Use tools to identify applications requesting clients to generate NTLMv1 messages.
4. Implement Modern Authentication: Replace NTLM with secure alternatives like Kerberos or SSO protocols wherever possible.
While Microsoft’s decision to remove NTLMv1 is a step forward, organizations must remain vigilant during this transition period. Comprehensive auditing and proactive mitigation are essential to safeguard networks against potential exploits.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar