If you think you blocked NTLMv1 in your org, think again

Table of Contents

Share this post:

If you think you’ve blocked NTLMv1 in your organization, think again. Silverfort’s research team recently discovered that attackers bypass the Group Policy designed to disable NTLMv1, allowing insecure authentications to persist in Active Directory environments.

These key findings highlight a critical gap: even when organizations believe they’ve secured their systems, NTLMv1 remains a hidden backdoor for credential theft, lateral movement, and privilege escalation. With over 64% of Active Directory accounts still authenticating with NTLM protocols despite its known weaknesses, NTLMv1 continues to represent a serious risk.

TL;DR 

  • News: Silverfort’s research team discovered a new way for attackers to use NTLMv1 in attacks, despite efforts to disable it. Using a misconfiguration in on-prem applications, attackers can bypass the Group Policy designed to stop NTLMv1 authentications. 
  • Why it matters: 64% of Active Directory user accounts regularly authenticate with NTLM, despite its known weaknesses and being deprecated by Microsoft. Many organizations attempted to solve the NTLMv1 problem with an Active Directory Group Policy. However, we discovered that this policy is flawed and allows NLTMv1 authentications to persist, creating a false sense of protection and leaving organizations exposed. Attackers know NTLMv1 is a weak authentication protocol and actively seek it out as a method to move laterally or escalate privileges. 
  • Who’s affected: Any organization who uses third-party or home-grown on-prem applications and those who do not strictly use Windows machines. For example, if a Mac computer connects to a bank application, they could be compromised.  
  • Impact to organizations: An attacker sitting on a network can see the NTLMv1 traffic and crack the users’ credentials offline, opening the door to lateral movement and privilege escalation. Our POC emulates an application bypassing the fencing, validating this misconfiguration works to an attacker’s advantage.
  • Result of disclosure: While Microsoft Security Response Center (MSRC) indicated the NTLMv1 bypass is not a vulnerability, they took proactive measures to enhance security by announcing the complete removal of NTLMv1 within two months of our disclosure, starting with Windows 11 version 24H2 and Windows Server 2025.

We recently hosted a webinar where I took people through the research in more detail, showing how to mitigate NTLMv1 authentications in the absence of a patch. You can watch this webinar on demand here.

On-demand webinar

Unveiling NTLMv1 Vulnerabilities: Risks and Mitigation Strategies in Active Directory Environments.

Watch it here

Summary & Mitigations

Despite its historical significance, NTLM represents a considerable security liability. Its outdated cryptographic methods, well-documented weaknesses and lack of modern security features (such as MFA and server identity validation) make it an attractive target for attackers. NTLMv1 hashes can be intercepted and used for authentication relay attacks or even dictionary attacks, granting attackers unauthorized access to sensitive systems. New NTLM vulnerabilities have been disclosed over the last few months, including a zero-day. More recently, CyberSky discovered an NTLM vulnerability exploited by Russian threat actors as part of an attack chain that delivers the open-source Spark RAT malware.    

Many organizations proactively use Microsoft’s Group Policy mechanism to stop NTLMv1, believing this will protect them from insecure NTLMv1 authentications. However, our research shows on-prem applications can be configured to enable NTLMv1, negating the Group Policy LAN Manager’s highest authentication level set in Active Directory. Organizations think they are doing the right thing by setting this group policy, but it’s still being bypassed by the misconfigured application. Until applications cannot be configured to authenticate with NTLMv1, the problem will persist.    

At Silverfort, we’ve seen many attempts to authenticate via NTLMv1 across our customer base. We work closely with our customers to map and detect NTLMv1 usage and apply risk-based fencing to reduce the risk of compromise. Without a patch for NLTMv1, businesses that used NTLMv1 in the past should consider the following:  

  1. Enabling audit logs for all NTLM authentications in the domain.
  2. Mapping all applications that use NTLM authentications in the first instance or as a fall back.
  3. Detecting vulnerable applications that request clients use NTLMv1 messages.
  4. Fencing all NTLM with a modern authentication method.

Guide to eliminating NTLM completely from your environment

Windows 10 End of Life means NTLM authentication is going away. Read how to detect and eliminate NTLM usage with this step-by-step guide.

Read now

What is NTLMv1 and why is it a problem?

NTLM (NT LAN Manager) is a legacy Microsoft authentication protocol that dates back to the early 1990s. It was originally designed to verify user identities in Windows networks, and while it has been largely replaced by Kerberos, it remains in many Active Directory environments due to backward compatibility and legacy systems.

NTLM fundamentals

The protocol works through a simple three-message sequence:

  1. Negotiate – The client tells the server it wants to use NTLM for authentication.
  2. Challenge – The server responds with a random number (the challenge) that must be encrypted using the user’s credentials.
  3. Authenticate – The client sends back the encrypted challenge. If the server validates it against the stored credentials, access is granted.

The problem is that NTLMv1, the first version of the protocol, is highly insecure by today’s standards. It relies on weak DES encryption, uses only an 8-byte challenge (easy to brute-force), and lacks modern security controls like MFA protection or server identity validation. These weaknesses make NTLMv1 authentications a prime target for attackers, who can intercept hashes, perform replay or relay attacks, and escalate privileges in Active Directory.

Despite being deprecated, NTLMv1 remains in use because many on-prem applications, non-Windows clients, and homegrown systems still depend on it, leaving organizations vulnerable to attack.

Blog

Secure in spite of legacy: The IAM leader’s guide to controlling identity risk

Read now

What’s the Difference Between NTLMv1 and NTLMv2?

To address NTLMv1’s weaknesses, Microsoft introduced NTLMv2, which made several improvements:

  • Stronger encryption – NTLMv2 replaced DES with RC4, making brute-force attacks more difficult.
  • Client challenge – Added a second random challenge from the client, increasing entropy and security.
  • AV_PAIRS – Introduced additional session data (like source, destination, and SPN) to generate unique session keys, reducing the risk of replay or relay attacks.

While NTLMv2 is significantly more secure than NTLMv1, it is still a legacy protocol. It lacks native MFA support and modern identity protections, meaning organizations should ultimately migrate to modern authentication protocols such as Kerberos to achieve stronger protection.

Silverfort research: NTLMv1 bypass in Active Directory

Microsoft’s Group Policy mechanism is designed to disable NTLMv1 authentications. By setting the LMCompatibilityLevel registry key, administrators expect Domain Controllers to reject NTLMv1 traffic and require NTLMv2 or Kerberos instead. On paper, this should eliminate NTLMv1 from Active Directory environments.

But Silverfort’s research team discovered that this protection isn’t absolute. During our analysis, we identified a flaw that allows applications to bypass the Group Policy and continue sending NTLMv1 authentication requests. This creates a dangerous blind spot: organizations may believe they’ve blocked NTLMv1, while in reality it still persists, leaving Active Directory exposed to credential theft, lateral movement, and privilege escalation.

Technical deep dive: How the NTLMv1 bypass works

The enforcement of NTLM policies depends on the Netlogon Remote Protocol (MS-NRPC), which application servers use to validate NTLM messages with Domain Controllers. A key structure in this process, NETLOGON_LOGON_IDENTITY_INFO, contains a field called ParameterControl.

Inside this field is a flag that explicitly allows NTLMv1 authentication – even if the Group Policy is configured to block it. In other words, the control is only as strong as the applications that honor it.

To test this, we built a proof-of-concept application that simulated a malicious or misconfigured service. By setting the ParameterControl flag, we successfully forced NTLMv1 authentications. The Domain Controller accepted them, despite Group Policy being configured to disallow NTLMv1.

This means that any application – whether by mistake or by design – can still generate NTLMv1 traffic, leaving organizations exposed to hidden authentication risks. Attackers who identify such applications can exploit them to intercept credentials, perform replay or relay attacks, and move laterally through Active Directory.

Microsoft’s response

When we disclosed our findings to Microsoft’s Security Response Center (MSRC), they confirmed the behavior but did not designate it as a security vulnerability. Instead, Microsoft took proactive action by announcing the full removal of NTLMv1. Beginning with Windows 11 version 24H2 and Windows Server 2025, NTLMv1 will no longer be supported at all.

This decisive move underscores the seriousness of the risk. Until then, however, organizations remain exposed if they rely solely on Group Policy to block NTLMv1. They must proactively detect and mitigate NTLMv1 usage to ensure attackers cannot exploit this authentication weakness.

Free resource

Roadmap to shut down NTLM-based applications

This downloadable guide provides a digestible roadmap of what to do when you’re ready to shut down NTLM-based applications altogether.

Read now

Security risks of NTLMv1 authentication

Despite Microsoft deprecating NTLMv1, it continues to pose a serious risk in modern Active Directory environments. Attackers actively scan networks for NTLMv1 traffic because it provides an easy entry point for:

  • Credential theft – NTLMv1 hashes can be intercepted and cracked offline.
  • Replay and relay attacks – intercepted NTLMv1 messages can be reused to impersonate users across different services.
  • Lateral movement and privilege escalation – once attackers gain a foothold, they can move across systems and elevate their privileges inside AD.

Even when organizations believe they’ve blocked NTLMv1 through Group Policy, the protocol often persists in hidden ways. Applications can still request NTLMv1 authentication, and Domain Controllers may approve it under certain conditions. Windows clients with LMCompatibilityLevel 3 and above won’t generate NTLMv1 responses, but non-Windows clients remain unprotected. In practice, this means many environments still contain NTLMv1 traffic – even if administrators assume it has been eliminated.

This persistence makes it extremely difficult to prove that NTLMv1 is fully removed. As a result, many organizations carry a false sense of security, while attackers continue to exploit these weak authentications to compromise Active Directory.

How to mitigate and eliminate NTLMv1

Until NTLMv1 is fully removed by Microsoft, organizations need to take proactive steps to detect and contain its use. Relying solely on Group Policy is not enough – hidden misconfigurations and non-Windows clients can still generate NTLMv1 traffic.

Here are the key actions every organization should take:

  1. Enable audit logs for all NTLM authentications across the domain to establish full visibility.
  2. Map all applications that use NTLM as their primary method or as a fallback, including on-prem and homegrown systems.
  3. Detect vulnerable applications that still request NTLMv1 messages, especially from non-Windows clients.
  4. Enforce modern protections such as MFA and risk-based access controls on all NTLM authentications to prevent attackers from exploiting weak protocols.

Silverfort’s Identity Security Platform helps organizations take these steps by detecting NTLMv1 traffic in real time and applying adaptive controls. With Silverfort, security teams can contain risky authentications, protect service accounts, and enforce modern authentication without disrupting business operations.

Want to learn more? Watch our on-demand webinar

If you want to dive into the detail around this research, check out this on-demand webinar, where we walk through the NTLMv1 bypass discovery and show practical ways to mitigate NTLMv1 authentications in the absence of a patch.

On-demand webinar

Unveiling NTLMv1 Vulnerabilities: Risks and Mitigation Strategies in Active Directory Environments.

Roy Akerman

VP of Identity Security Strategy

Dor Segal

Security Research Team Lead

Yoad Dvir

Senior Product Marketing Manager

Watch it here

We dared to push identity security further.

Discover what’s possible.

Set up a demo to see the Silverfort Identity Security Platform in action.

Get a demo