Recent findings by cybersecurity experts have unveiled a considerable vulnerability in the Microsoft Active Directory Group Policy designed to disable the authentication method NT LAN Manager (NTLM) version 1. Researchers indicate that a misconfiguration within on-premises applications is capable of easily bypassing this Group Policy measure.
According to Dor Segal, a researcher at Silverfort, this misconfiguration negates the intended restrictions meant to prevent NTLMv1 authentications. In a report presented to The Hacker News, Segal emphasized that a seemingly innocuous setting could permit the use of NTLMv1, undermining organizations’ efforts to enhance security through Group Policy configurations.
NTLM remains a prevalent authentication mechanism within numerous Windows environments, despite being formally deprecated as of mid-2024 to accommodate legacy systems. Microsoft’s decision to phase out NTLMv1 was further solidified with its removal in Windows 11 version 24H2, as well as in Windows Server 2025. The updated NTLMv2 offers some mitigations against relay attacks, yet it is not without its own vulnerabilities that cyber adversaries have been eager to exploit.
By utilizing these weaknesses, attackers can trick victims into authenticating against compromised endpoints, thus leveraging the authentication data to execute harmful actions. This exploitation hinges on their ability to manage victim authentication through fraudulent means.
Segal elaborated on how Microsoft implemented the Group Policy as a remedial action for NTLMv1 across networks, citing the LMCompatibilityLevel registry key aimed at rejecting NTLMv1 authentication attempts. This key ensures that such attempts lead to erroneous password responses, effectively protecting domain controllers from accepting outdated authentication protocols.
However, Silverfort’s investigation determined that NTLMv1 authentication could still be utilized despite the Group Policy restrictions by exploiting specific configurations within the Netlogon Remote Protocol (MS-NRPC). More precisely, the research focused on a data structure known as NETLOGON_LOGON_IDENTITY_INFO. This structure features a ParameterControl field that can inadvertently permit NTLMv1 authentication even when NTLMv2 is mandated.
This discovery illustrates a significant gap where organizations are mistakenly relying on Group Policy settings to enhance security, only to find their measures circumvented through application misconfigurations. As Segal concluded, it is vital for organizations to bolster their vigilance by monitoring NTLM authentication attempts and identifying applications prone to requesting NTLMv1, while continually updating their systems to mitigate potential security risks.
Further insights into cybersecurity vulnerabilities have emerged from Haifei Li, a security researcher who reported on a ‘zero-day behavior’ found in PDF artifacts, which can inadvertently leak local net-NTLM information when opened with certain PDF readers. This issue has since been addressed by Foxit Software in their latest updates.
The urgency of these findings is underscored by broader implications for security practices, especially as noted by researcher Alessandro Iandoli, who detailed various vulnerabilities in Windows 11 that may be exploited to achieve unauthorized code execution at the kernel level.
