Overview
NT LAN Manager (NTLM) is a legacy authentication protocol that has been part of Windows since the early days of the networked computing era. Despite its age and the introduction of more secure protocols like Kerberos, NTLM remains in use in many environments, primarily for backward compatibility. However, due to its known vulnerabilities, it’s often recommended to disable NTLM when possible.
Understanding NTLM and Its Risks
NTLM, which stands for NT LAN Manager, is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is considered less secure than modern authentication protocols because it’s vulnerable to various types of attacks, such as relay and brute force attacks.
Preparing to Disable NTLM
Before you proceed with disabling NTLM, it’s crucial to ensure that no applications or services within your domain require NTLM for authentication. Disabling NTLM without proper auditing could lead to service disruptions.
Enabling NTLM Audit Logging
To identify NTLM usage in your domain, enable audit logging through Group Policy:
- Open the Group Policy Management Editor (
gpmc.msc). - Navigate to
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. - Find and enable the policy Network Security: Restrict NTLM: Audit NTLM authentication in this domain and set its value to Enable all⁴.
This will log events related to NTLM authentication, which you can review in the Event Viewer under the NTLM section.
Steps to Disable NTLM via Group Policy
Once you’ve confirmed that disabling NTLM won’t disrupt your environment, follow these steps:
- Open the Group Policy Management Console (
gpmc.msc). - Right-click your domain and select Create a GPO in this domain, and Link it here…
- Name the new GPO (e.g., “Disable NTLM Authentication”).
- Right-click the new GPO and select Edit.
- Navigate to
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. - Locate the policy Network Security: LAN Manager authentication level.
- Set the policy to Send NTLMv2 response only. Refuse LM & NTLM⁷.
Applying the Changes
After configuring the GPO, it’s important to update the group policy on all computers:
- Run the
gpupdate /forcecommand on each computer or wait for the next group policy refresh cycle. - Restart the computers to ensure that the changes take effect.
Conclusion
Disabling NTLM and moving to more secure authentication methods is a critical step in hardening the security posture of your Windows domain. By following the steps outlined above, you can audit NTLM usage and disable it without impacting your network’s functionality.
Remember, always perform thorough testing before implementing changes in a production environment to avoid any unintended service disruptions.
I hope this blog post provides a clear guide on disabling NTLM through Group Policy.
(1) How to Disable NTLM Authentication in Windows Domain. https://woshub.com/disable-ntlm-authentication-windows/.
(2) How to Disable NTLM Authentication in Windows Domain – The Windows Club. https://www.thewindowsclub.com/disable-ntlm-authentication-in-windows-domain.
(3) NTLMv2 Group Policy. https://www.youtube.com/watch?v=zkU8LW0uihw.
(4) How To Remove LLMNR and NBT-NS From Your Active Directory Environment. https://www.youtube.com/watch?v=iN0KUj5I7aE.
(5) NTLM: Disable the Basic Authentication.. https://www.youtube.com/watch?v=mKq0-Ve49SQ.
(6) Auditing and restricting NTLM authentication using Group Policy. https://4sysops.com/archives/auditing-and-restricting-ntlm-authentication-using-group-policy/.
(7) Block NTLM attacks over SMB in Windows 11: GPEDIT, PowerShell. https://www.thewindowsclub.com/block-ntlm-attacks-over-smb-in-windows.
