1

The domain I'm working on currently has NTLM V1 enabled for Domain Controllers. I've done some tests and discovered that only a few application servers require NTLM V1. Unfortunately I have to allow those servers to continue using NTLM V1 for authentication to Domain Controllers.

I would like to restrict all other servers to only using NTLM V2, Kerberos, etc.

I see that Group Policy has some options under "Network security: Restrict NTLM". But these options look like they restrict both NTLM V1 and NTLM V2. There are still many servers that require NTLM V2.

Is there a good way to restrict NTLM V1 to only a few select servers, while allowing NTLM V2 on many others?

Is there a way to apply the deny NTLM V1 option on our Domain Controller's GPO but allow these few servers to use NTLM V1 via WMI Filters?

Prox
  • 111
  • 2
  • You would need to move those non-compliant servers to a separate domain with a separate group policy to allow this insecure legacy protocol. – Greg Askew Jul 15 '22 at 14:50

1 Answers1

0

You can disable NTLMv1 through the registry. To do it, create a DWORD parameter with the name LmCompatibilityLevel and the value 0-5 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa. Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.

Or if possible put those servers in a OU and create a policy and link that policy to that OU (best practice) https://techexpert.tips/windows/gpo-disable-ntlm-version-1/

Ace
  • 419
  • 6
  • I've kind of done that. Unfortunately, with NTLM V1 still enabled on the Domain Controller, an attacker can run 2 simple commands using the tools Responder and PetitPotam to dump the DC's machine hash. I've tested this out myself. It looks like I'm going to have to push the vendor of these few servers to update their auth protocol. I won't be able to put the servers on a separate domain. – Prox Jul 18 '22 at 14:20