Cybersecurity researchers have discovered that Microsoft Active Directory Group Policy designed to disable NT LAN Manager (NTLM) v1 can be bypassed simply by misconfiguration.
“A simple misconfiguration in local applications can override Group Policy, effectively nullifying the Group Policy intended to stop NTLMv1 authentication,” Silverfort researcher Dor Segal said in a report shared with The Hacker News.
NTLM is still a widely used mechanism, especially in Windows environments, for authenticating users over a network. The deprecated protocol, although not removed due to backwards compatibility requirements, was out of date as of mid-2024.
At the end of last year Microsoft officially removed NTLMv1, starting with Windows 11, version 24H2, and Windows Server 2025. While NTLMv2 introduces new mitigations that make relay attacks more difficult, the technology was besieged several security flaws that were actively is exploited by threat actors to gain access to confidential data.
When exploiting these flaws, the idea is to force a victim to authenticate to an arbitrary endpoint or pass authentication information against a sensitive target and perform malicious actions on behalf of the victim.
” Group Policy Mechanism is Microsoft’s solution to disabling NTLMv1 on the network,” Segal explained. “The LMCompatibilityLevel registry key prevents domain controllers from evaluating NTLMv1 messages and returns an incorrect password error (0xC000006A) when authenticating with NTLMv1.”
However, Silverfort’s investigation found that it is possible to bypass Group Policy and still use NTLMv1 authentication by taking advantage of a setting in the Netlogon Remote Protocol (MS-NRPC).
Specifically, it uses a data structure is called NETLOGON_LOGON_IDENTITY_INFOwhich contains a field named ParameterControl which in turn has the configuration “Allow NTLMv1 (MS-NLMP) authentication when only NTLMv2 (NTLM) is allowed”.
“This study shows that on-premises applications can be configured to enable NTLMv1 by overriding the highest level of LAN Manager Group Policy authentication set in Active Directory,” Segal said.
“This means that organizations think they are doing the right thing by setting this Group Policy, but a misconfigured application is still bypassing it.”
To mitigate the risk posed by NTLMv1, it is critical to enable audit logs for all NTLM authentication in the domain and monitor for vulnerable applications that request clients to use NTLMv1 messages. It also goes without saying that organizations are advised to keep their systems up to date.
The disclosure comes from HN security researcher Alessandro Iandoli in detail how various security features in Windows 11 (before 24H2) can be bypassed to execute arbitrary code at the kernel level.
