NTLM is an insecure authentication protocol that is still found in many environments. Using Group Policy and effective logging, admins can audit the environment and restrict the use of NTLM across the domain.
Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.
Latest posts by Brandon Lee (see all)
Attackers commonly try to compromise critical networks with authentication-related attacks. These can include password attacks, phishing, and others. However, they can also exploit weak authentication protocols to compromise environments. The NTLMv1 and NTLMv2 authentication protocols have been used in production environments for decades. As a result, NTLM has serious security vulnerabilities that businesses need to consider.
Security considerations of NTLMv1 and NTLMv2
The problem with NTLM is that while it requires a password, it uses very dated cryptography to create the hash. In addition, NTLM is a single sign-on (SSO) protocol that relies on a challenge–response mechanism. When combined with weak passwords, NTLM becomes a vulnerable target for attack.
Despite known vulnerabilities and Microsoft replacing NTLM with Kerberos authentication as part of Active Directory Domain Services (AD DS), NTLM is still widely deployed in many environments for compatibility reasons.
One challenge for many IT admins is understanding which apps, servers, and clients may still be using NTLM authentication.
NTLM auditing using Group Policy
Microsoft has introduced a group po ..
Support the originator by clicking the read the rest link below.
