NTLMV1
Background
听are especially relevant to Active Directory environments. One of the most common attack scenarios is NTLM Relay, in which the attacker compromises one machine and then spreads laterally to other machines by using NTLM authentication directed at the compromised server. The best way to cope with NTLM vulnerabilities is basically not to use NTLM, but NTLMV2 is more secure.
. But as good as that article is, it isn鈥檛 comprehensive. Referencing听() will help you understand how NTLM logons work across a trust. Note that this is why you won鈥檛 find any NTLMv1 logons on any domain controllers. You will find most NTLMv1 logon events on the member servers that allow NTLMv1鈥搕hose member servers are the key and you should target them as the point of leverage to identify which clients are using NTLMv1.
Disabling NTLMV1
Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policy Network Security: LAN Manager authentication level. You can also disable NTLMv1 through听the registry.
Known Problems
| ID | Problem Description | Solution? |
|---|---|---|
| 1 | Client LMCompatibilityLevel configuration wasn鈥檛 compatible (e.g. XP default) | C |
| 2 | Member server has a LMCompatibilityLevel configuration that isn鈥檛 compatible. There are two scenarios here:
|
J听-> C |
| 3 | Domain controller from a trusting domain has a LMCompatibilityLevel configuration that isn鈥檛 compatible (where the trusting DC is acting in the role of a client) | J听-> C |
| 4 | Mac browser incompatibilities on old versions (Mac OS client听+ Safari) | A or M or P |
| 5 | Chrome (on Windows client) browser configuration needed | B or M |
| 6 | Firefox browser (on Windows client) with Windows Integrated webserver (in general, not specific to NTLMv1) | G or M |
| 7 | Firefox browser (on non-Windows client) | M or N or O or P or Q |
| 8 | Chrome browser (on non-Windows client) | M or N听or O or P or Q |
| 9 | IIS webserver with Windows Integrated enabled (in specific, with 鈥淣egotiate,NTLM鈥 enabled) | L or听M or P or Q |
| 10 | POP or IMAP based email clients & Exchange that have 鈥淪imple Authentication and security layer鈥 enabled | E |
| 11 | MacOS/Linux computers mounting SMB Share | H |
| 12 | IAS server & MS-CHAPv2 (which uses NTLMv1 by default) | F |
| 13 | Routing and Remote Access Service & MS-Chapv2 (which uses NTLMv1 by default) | D |
| 14 | Any client is trying to perform NTLMv2 authentication to Vista or Windows Server 2008 based service. Receives error: 鈥淪TATUS_INVALID_PARAM鈥. | I |
| 15 | Copiers using Windows Integrated authentication (details lacking) | K |
Workarounds and Solutions
| ID | Solution听 听 | Problem ID |
|---|---|---|
| A |
If you are using an old Mac device and can't upgrade, the MacOS Safari browser听relies on an obscure . For step-by-step instructions:听 |
4 |
| B |
Internet Explorer(soon to be deprecated) and Chrome (on Windows) rely on the Intranet zone configuration (see Control Panel: Internet Options) to determine what type of authN it uses. |
5 |
| C | Change the LMCompatibilityLevel value. Level 5 corresponds to 鈥淪end NTLMv2 response only. Refuse LM & NTLM.鈥 and is the most desired state. Level 3 (鈥淪end NTLMv2 response only鈥) is the minimum needed to continue to interact with the NETID DCs. How you go about听setting the LMCompatibilityLevel听depends on the existing configuration of the computer.
Alternatively, to听use the local security policy approach:
c) Or alternatively, you can manually use the registry:
|
1, 2, 3 |
| D | 13 | |
| E | Turn off 鈥淪imple Authentication and security layer鈥 in the POP/IMAP based mail client. | 10 |
| F | 听if running the OS noted and/or set the registry value noted. This is a 听NOTE: Upgrade the MacOS VPN client. This means that even if you apply the above workaround, |
12 |
| G | For Firefox browsers (on Windows clients):
Enter 鈥渁bout:config鈥 Locate:
听Note: this setting is the successor to the deprecated听 |
6 |
| H | Edit /etc/samba/smb.conf on the client, you should add the following to the 鈥淸globals]鈥 section:client ntlmv2 auth = yes
If you are mounting a share, you鈥檒l also need to modify the sudo command to explicitly specify the security level. |
1 |
| I (i) | . | 14 |
| J | Use this PowerShell script:听听to determine if your domain controllers or member server is using NTLMv1, then C if needed. That powershell script assumes Windows Server 2008 or newer. If your DCs or member servers are Windows Server 2003 R2 or earlier, the only way to identify NTLMv1 use is via |
听2, 3 |
| K | There are some听copiers听whose default configuration doesn鈥檛 permit NTLMv2. In some cases these copiers need configuration, in others, they need a firmware upgrade to support NTLMv2.听听 For the Ricoh MP 6001, the firmware NIB needs to be at least 8.72. The Ricoh version can be seen on the |
15 |
| 听L | According to two sources, IIS doesn鈥檛 actually negotiate the highest authentication protocol possible when used in combination with some combinations of Windows OS and browser鈥揵ut instead negotiates the worst. We鈥檝e been unable to verify these claims due to the lack of detail in the claims. Those sources suggest one of two solutions. 听Solution #1: This is caused by problem #1/4/5/6, so apply solutions C/A/B/G as appropriate听to all clients. Solution #2: Reconfigure IIS to 鈥淣egotiate鈥 instead of 鈥淣egotiate,NTLM鈥. Solution #3:听听describes a scenario (scenario B as labeled in that article) |
9 |
| M | Get Kerberos authentication working. If听authentication is cross-domain, then you will need a forest trust (only 8 trusts of all trusts听with NETID are not forest trusts). Kerberos authentication requires a valid SPN at each of the stops in the authentication chain (the client, the member server and the DC). In most cases, the SPN must resolve to the host it is for; the SPN can鈥檛 involve a DNS record that doesn鈥檛 exist or resolves somewhere else. Kerberos authentication is time-sensitive, that is to say that all of the stops in the authentication chain need to be within 5 minutes of each other.听If a web browser is used, there is sometimes special configuration required to get Kerberos working with it. For example, IE requires that the URL is listed in the intranet zone. Workaround G is another example of this. To get Kerberos working on a Linux computer, you might find听听useful. |
7, 8 |
| N | Choose a browser that can do NTLMv2. To our knowledge, Safari on MacOS is the only non-Windows browser combination that supports NTLMv2. See workaround A. . On a Windows client, it relies on the Windows libraries to do NTLMv2. . On a Windows client, it relies on the Windows libraries to do NTLMv2. Opera has never supported any NTLM protocol. |
7, 8 |
| O | There is an open-source 鈥減ersonal鈥 NTLM proxy that includes NTLMv2 support for web authN that might be used as a workaround. See听. If someone tries this out, we鈥檇 like to know so听we know whether it鈥檚 a working workaround or just a theoretical one. |
7, 8 |
| P | If you have an IIS web server configured to do Windows Integrated authentication with non-Windows clients (see problems #7 & 8), an option is to remove Windows Integrated authentication and enable Basic Authentication. If you do, make sure you require HTTPS, so passwords in transit have a secure channel. An alternative would be to remove Windows Integrated and explore ADFS or Shibboleth authentication integration. 听For more reading material on IIS authentication, see: |
4, 7, 8, 9 |
| 听Q | If you have a web server (IIS or otherwise)听configured to do Windows Integrated with non-Windows clients (see problems #7 & 8), your best bet may be to provide a 2nd website (with an alternate FQDN) on the same web server pointing to the same content. This 2nd website would provide Forms or Basic Authentication.听 You鈥檇 then tell customers with a browser that is incapable of doing Windows Integrated that the workaround |
4, 7, 8, 9 |
| R | Null session behavior from win7/ws08r2 and beyond may be relevant:听 | 听 |
| S | Minimum session security setting may be important:听 |