Cybersecurity researchers have found that the Microsoft Active Directory Group Policy that’s designed to disable NT LAN Manager (NTLM) v1 can be trivially bypassed by a misconfiguration.
“A simple misconfiguration in on-premise applications can override the Group Policy, effectively negating the Group Policy designed to stop NTLMv1 authentications,” Silverfort researcher Dor Segal said in a report shared with The Hacker News.
NTLM is a still widely used mechanism particularly in Windows environments to authenticate users across a network. The legacy protocol, while not removed due to backward compatibility requirements, has been deprecated as of mid 2024.
Late last year, Microsoft officially removed NTLMv1 starting in Windows 11, version 24H2, and Windows Server 2025. While NTLMv2 introduces new mitigations to make it harder to perform relay attacks, the technology has been besieged by several security weaknesses that have been actively exploited by threat actors to access sensitive data.
In exploiting these flaws, the idea is to coerce a victim to authenticate to an arbitrary endpoint, or relay the authentication information against a susceptible target and perform malicious actions on behalf of the victim.
“The Group Policy mechanism is Microsoft’s solution to disable NTLMv1 across the network,” Segal explained. “The LMCompatibilityLevel registry key prevents the Domain Controllers from evaluating NTLMv1 messages and returns a wrong password error (0xC000006A) when authenticating with NTLMv1.”
However, Silverfort’s investigation found that it’s possible to circumvent the Group Policy and still use NTLMv1 authentication by taking advantage of a setting in the Netlogon Remote Protocol (MS-NRPC).
Specifically, it leverages a data structure called NETLOGON_LOGON_IDENTITY_INFO, which contains a field named ParameterControl that, in turn, has a configuration to “Allow NTLMv1 authentication (MS-NLMP) when only NTLMv2 (NTLM) is allowed.”
“This research shows on-prem applications can be configured to enable NTLMv1, negating the Highest Level of the Group Policy LAN Manager authentication level set in Active Directory,” Segal said.
“Meaning, organizations think they are doing the right thing by setting this group policy, but it’s still being bypassed by the misconfigured application.”
To mitigate the risk posed by NTLMv1, it’s essential to enable audit logs for all NTLM authentication in the domain and keep an eye out for vulnerable applications that request clients to use NTLMv1 messages. It also goes without saying that organizations are recommended to keep their systems up-to-date.
The latest findings follow a report from security researcher Haifei Li about a “zero-day behavior” in PDF artifacts uncovered in the wild that could leak local net-NTLM information when they are opened with Adobe Reader or Foxit PDF Reader under certain conditions. Foxit Software has addressed the issue with version 2024.4 for Windows.
The disclosure also comes as HN Security researcher Alessandro Iandoli detailed how various security features in Windows 11 (prior to version 24H2) could be bypassed to achieve arbitrary code execution at the kernel level.
