Full Report
Cybersecurity researchers have found that the Microsoft Active Directory Group Policy that's designed to disable NT LAN Manager (NTLM) v1 can be trivially bypassed by a misconfiguration. "A simple misconfiguration in on-premise applications can override the Group Policy, effectively negating the Group Policy designed to stop NTLMv1 authentications," Silverfort researcher Dor Segal said in a
Analysis Summary
# Vulnerability: Active Directory Group Policy Bypass Allowing NTLMV1 Overrides
## CVE Details
- CVE ID: Not explicitly assigned in the provided text. (This appears to be a configuration/logic bypass rather than a traditional patchable software flaw yet.)
- CVSS Score: N/A (Severity is high due to the bypass of security control)
- CWE: CWE-287 (Improper Authentication) or potentially CWE-682 (Incorrect Logic) related to policy enforcement.
## Affected Systems
- Products: Microsoft Active Directory Group Policy, applications relying on Netlogon Remote Protocol (MS-NRPC).
- Versions: Domain Controllers and client machines where Group Policy is set to disable NTLMv1, but supporting vulnerable on-premise applications exist.
- Configurations: Any on-premise application configured to manipulate the `NETLOGON_LOGON_IDENTITY_INFO` structure, specifically the `ParameterControl` field, to explicitly allow NTLMv1 authentication even when domain policy restricts it.
## Vulnerability Description
A security control implemented via Active Directory Group Policy (which configures the `LMCompatibilityLevel` registry key) is intended to disable NTLMv1 authentication across the domain. However, this policy can be trivially bypassed. Certain on-premise applications, when initiating authentication via the Netlogon Remote Protocol (MS-NRPC), utilize the `NETLOGON_LOGON_IDENTITY_INFO` data structure. A setting within the `ParameterControl` field of this structure can be configured to explicitly override the domain-wide policy and force the acceptance of NTLMv1 authentication messages, even if the domain controller is configured to reject them.
## Exploitation
- Status: Research finding/Proof of Concept (PoC) exists/Trivial to configure for exploitation.
- Complexity: Low (Requires misconfiguration of the application, not complex zero-day exploitation).
- Attack Vector: Network
## Impact
- Confidentiality: High (Allows NTLMv1 authentication, which is susceptible to common relay and cracking attacks).
- Integrity: High (Allows authentication via weaker protocol).
- Availability: Low (Primary impact is security/disclosure, not system downtime).
## Remediation
### Patches
- No specific vendor patches were detailed for this logic bypass, as the issue lies in application configuration overriding policy. The true fix requires reconfiguring the affected applications.
### Workarounds
1. **Audit NTLM Authentication:** Enable audit logs for all NTLM authentication events across the domain to identify instances where NTLMv1 is still being successfully used.
2. **Identify Vulnerable Applications:** Investigate and identify on-premise applications that are known or suspected to directly interact with MS-NRPC or have custom authentication configurations that might be circumventing the group policy.
3. **Application Configuration Hardening:** Review and reconfigure the identified vulnerable applications to ensure they respect the domain's security settings and do not attempt to enable NTLMv1 via the `NETLOGON_LOGON_IDENTITY_INFO` structure.
4. **General OS Updates:** Keep systems up-to-date, as Microsoft is generally deprecating NTLMV1 (e.g., removed in Windows 11 24H2 and Server 2025).
## Detection
- **Indicators of Compromise:** Successful authentication attempts using NTLMv1 protocol versions against Domain Controllers in environments where NTLMv1 should be disabled.
- **Detection Methods and Tools:** Utilizing security event logging (e.g., Windows Security Events) to specifically track NTLM authentication success/failure codes related to LM Compatibility Level enforcement. Monitoring network traffic for MS-NRPC exchanges containing non-standard or overridden control flags related to NTLM versions.
## References
- Vendor Advisories: N/A (Research disclosure by Silverfort)
- Relevant links:
- Silverfort Report: hxxps://www.silverfort.com/blog/ntlmv1-bypass-in-active-directory-technical-deep-dive/
- Microsoft Group Policy Mechanism Reference: hxxps://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-1-%E2%80%93-disabling-ntlmv1/3934787/
- MS-NRPC Documentation: hxxps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f/
- NETLOGON\_LOGON\_IDENTITY\_INFO Structure: hxxps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/81c44fa0-0a27-41b3-b607-de39cce7ea1d