Silverfort has discovered that a misconfiguration can bypass an Active Directory Group Policy designed to disable NTLMv1, allowing NTLMv1 authentications to persist. Microsoft announced the full decommission of NTLMv1 from Windows 2025. Unified Identity Security company Silverfort has discovered a security vulnerability involving a misconfiguration in Active Directory. This vulnerability allows NTLMv1 authentication to persist despite attempts to disable it through Group Policy.
NTLMv1 is an outdated authentication protocol with known security weaknesses, making it a prime target for attackers. The flaw, discovered by senior security researcher Dor Segal, exposed that even teams implementing this policy remain exposed to NTLMv1 authentications.[1]
The vulnerability arises from a flaw in the implementation of the Group Policy. While the policy aims to block NTLMv1, certain on-premises applications can bypass this restriction by specifically requesting NTLMv1 authentication. This bypass creates a false sense of security for organizations that believe they have effectively disabled NTLMv1. Attackers can exploit this vulnerability to intercept NTLMv1 traffic, crack user credentials, and gain unauthorized system access.
Attackers can exploit NTLMv1’s weaknesses to move laterally or escalate privileges, exposing organizations to significant risk. “It is important to note that Windows clients with LMCompatibilityLevel 3 and above will not generate NTLMv1 if requested. However, non-Windows clients are not protected. If an application requests an NTLMv1 message from a non-Windows client, the Domain Controller may approve the authentication and generate a session key,” researchers noted in a blog post.
Silverfort’s research highlights the security weaknesses of NTLMv1, such as its susceptibility to relay attacks and the limitations of the Group Policy mechanism in completely preventing its use. By understanding the technical intricacies of NTLMv1 and the limitations of existing mitigation strategies, organizations can better assess their risk exposure and implement effective security measures.
Although Microsoft has acknowledged the issue and announced plans to completely remove NTLMv1 support in future versions of Windows, organizations still need to take proactive measures to mitigate the risk. These measures include enabling audit logs for NTLM authentication, identifying applications that utilize NTLMv1, and implementing modern authentication methods such as SSO or Kerberos to replace NTLMv1.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://hackread.com/researchers-ntlmv1-bypass-active-directory-policy/
Comments