Research from Silverfort has revealed a significant flaw in the Group Policy mechanism used to disable the outdated NTLMv1 authentication protocol. Despite widespread efforts by organizations to block NTLMv1 using Active Directory policies, a misconfiguration allows attackers to bypass this safeguard, posing a serious risk to organizations still relying on legacy authentication systems.
NTLMv1, deprecated by Microsoft and considered highly insecure, remains prevalent. Silverfort found that 64% of Active Directory user accounts continue to use NTLM authentication protocols. A Group Policy designed to block NTLMv1 can be bypassed through a specific flag in the ParameterControl field of the Netlogon remote procedure call (RPC) interface. The researchers demonstrated that applications requesting NTLMv1 authentications could still trigger the Domain Controller to validate these requests.
Silverfort emphasized, “Organizations think they are doing the right thing by setting this group policy, but it’s still being bypassed by the misconfigured application.”
This oversight has significant implications:
- Credential Theft: Attackers can intercept NTLMv1 traffic and perform offline cracking to harvest credentials.
- Lateral Movement: Compromised accounts can be used to escalate privileges and move laterally across networks.
- False Sense of Security: Organizations relying solely on Group Policy to block NTLMv1 may underestimate their vulnerability.
Following Silverfort’s disclosure in September 2024, Microsoft announced the complete removal of NTLMv1, beginning with Windows 11 version 24H2 and Windows Server 2025. While Microsoft did not classify the bypass as a vulnerability, this step underscores their commitment to modernizing authentication standards.
Silverfort provides the following recommendations for organizations to mitigate NTLMv1 risks:
- Audit NTLM Usage: Enable logs to identify all NTLM authentications within the domain.
- Map Applications: Identify and document applications relying on NTLMv1, including fallback scenarios.
- Detect Vulnerabilities: Use tools to pinpoint applications requesting NTLMv1 messages.
- Implement Modern Authentication: Transition to protocols like Kerberos or Single Sign-On (SSO) wherever possible.
NTLMv1’s vulnerabilities have long been exploited by attackers for relay attacks, credential theft, and man-in-the-middle exploits. While NTLMv2 introduced significant improvements, legacy applications and non-Windows clients still open pathways for abuse. Silverfort warns, “Until applications cannot be configured to authenticate with NTLMv1, the problem will persist.”
