Listen to this Post
Active Directory Hardening Series – Part 1 – Disabling NTLMv1 | Microsoft Community Hub
You Should Know:
Disabling NTLMv1 is a critical step in securing your Active Directory environment. NTLMv1 is an outdated authentication protocol that is vulnerable to various attacks, including brute force and pass-the-hash attacks. Below are the steps and commands to disable NTLMv1 and enhance your security posture.
Steps to Disable NTLMv1:
1. Verify Current NTLM Settings:
Use the following PowerShell command to check the current NTLM authentication settings:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel"
– `LmCompatibilityLevel` values:
– 0: Send LM & NTLM responses.
– 1: Send LM & NTLM – use NTLMv2 session security if negotiated.
– 2: Send NTLM response only.
– 3: Send NTLMv2 response only.
– 4: Send NTLMv2 response only. Refuse LM.
– 5: Send NTLMv2 response only. Refuse LM & NTLM.
2. Disable NTLMv1:
To disable NTLMv1, set the `LmCompatibilityLevel` to 5 using the following PowerShell command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5
3. Restart the System:
After making the changes, restart your system to apply the new settings:
Restart-Computer -Force
4. Verify the Changes:
After the restart, verify that NTLMv1 is disabled by re-running the `Get-ItemProperty` command.
Additional Security Measures:
- Enable SMB Signing:
SMB signing ensures the integrity of SMB traffic. Enable it using the following command:Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
-
Disable LLMNR and NetBIOS:
These protocols can be exploited for spoofing attacks. Disable them via Group Policy or PowerShell:Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0
-
Audit NTLM Usage:
Monitor NTLM usage in your environment to identify legacy applications that may still rely on it:Get-WinEvent -LogName "Security" -FilterXPath "*[System[EventID=4624]]" | Where-Object { $_.Message -match "NTLM" }
What Undercode Say:
Disabling NTLMv1 is a fundamental step in securing your Active Directory environment. However, it is essential to test these changes in a controlled environment before deploying them widely, as some legacy applications may still rely on NTLMv1. Additionally, consider implementing complementary security measures such as SMB signing, disabling LLMNR and NetBIOS, and auditing NTLM usage to further harden your infrastructure. Always stay updated with the latest security best practices and ensure your systems are patched regularly.
For more detailed guidance, refer to the Microsoft Community Hub article.
References:
Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



