Cybersecurity researchers have identified a significant flaw in the Microsoft Active Directory Group Policy that was designed to disable the deprecated NT LAN Manager (NTLM) v1 authentication protocol. The vulnerability arises from a simple misconfiguration in on-premise applications, which can override the Group Policy settings, making it possible to bypass the protections against NTLMv1. NTLM is widely used in Windows environments for network authentication, despite being deprecated due to several security weaknesses. The legacy protocol, still supported for backward compatibility, remains a target for threat actors, leading to its eventual removal from Windows 11 (version 24H2) and Windows Server 2025 in late 2024.
The flaw was discovered by Silverfort researchers who found that certain configurations within the Netlogon Remote Protocol (MS-NRPC) allow the use of NTLMv1 even when NTLMv2 is the required protocol. Specifically, a setting within the NETLOGON_LOGON_IDENTITY_INFO structure contains a parameter that enables NTLMv1 authentication. This misconfiguration effectively bypasses the protections set in the Group Policy mechanism, undermining the security measures that organizations believe they have put in place to mitigate NTLMv1 usage across their networks. As a result, attackers could still exploit the vulnerabilities associated with NTLMv1, such as relay attacks that can compromise sensitive data.
Silverfort’s findings highlight that organizations may be unknowingly vulnerable to these attacks, even if they have configured Active Directory to prevent NTLMv1 authentication. This issue underscores the importance of ensuring that all applications are correctly configured to adhere to the security settings imposed by the Group Policy. In the case of a misconfigured application, the Group Policy settings may appear effective, but the misconfiguration allows NTLMv1 to function, leaving the network susceptible to exploitation. Organizations must be aware of the potential for this bypass and take proactive measures to ensure proper configuration across all on-premise applications.
To mitigate the risks associated with this flaw, researchers recommend that organizations enable auditing for NTLM authentication events within their domains to detect any usage of NTLMv1. Additionally, they should monitor and address any vulnerable applications that continue to request NTLMv1 authentication. Keeping systems up to date with security patches is crucial, as vulnerabilities like these can be exploited if left unaddressed. This discovery also follows other reports regarding vulnerabilities in security features, such as a PDF zero-day leak of local net-NTLM information and kernel-level security bypasses in earlier versions of Windows 11. The combined findings emphasize the ongoing need for vigilance and thorough security practices.