[pinpeliponni]

NTLM was deprecated in 1999, when Windows 2000 came out. You have been supposed to use krb5 since then, and disabled the NTLM. Why is anything about NTLM still news? You have to specifically enable it on newest Windows platforms, because afaik it has been disabled by default for some 5+ years now.

[noinsight]

> You have to specifically enable it on newest Windows platforms, because afaik it has been disabled by default for some 5+ years now.

No you don't have to specifically enable it, it's still enabled (by default).

Completely disabling NTLM on a network would be a large project and not even Microsoft recommend that because the security gains are relatively small.

(See microsoft.com/pth for their comprehensive credential security guidance)

[liso]

By default, Kerberos will fail back to NTLM when:

* Authenticating against a pre-NT 4.0 server * Accessing a domain resource via IP * Accessing a resource on a non-domain member * Accessing a resource on a computer that does not support Kerberos (Windows 3.11, Windows 95, etc.)

It's trivial to force this downgrade on most domains.

[youdontknowtho]

That's not entirely accurate. Authentication in Windows can fall back to NTLM for a variety of reasons, including a malicious endpoint purposefully "downshifting" the version of NTLM it wants to use during a negotiation. There are tools to let you control the version of NTLM and group policy and what not...but that can break things that you have had for a long time.

Windows will do Kerberos by default and avoid NTLM in lots of situations, but it's hard to keep it from being used at all if that's your goal.

[eyalm]

I'll add to that - It is still very easy to hijack SMB connections and use it steal the NTLM hash in almost any network with Windows machines (Managed with a DC or not). Just go ahead and try [1] (Disclaimer - running responder.py without authorization might be considered as a crime and I do not take any responsibility for it. I encourage you to use it only if you understand what you are doing and you have full permission to do it).

[1] https://github.com/SpiderLabs/Responder

[youdontknowtho]

That's why MS recommends that you use a separate forest for admins only these days. You only administer things with remote tools via a trust, you only enable admin perms as long as you absolutely need them, and you put admins in the protected users group so that they can only do Kerberos. It won't stop other peoples credos from getting stolen, but it makes complete ownership of the domain less likely. That being said if you have service accounts running as domain admin, or you have service accounts with "delegate to any service" perms...all bets are off.

Its so hard to get this right these days. I'm just recommending that people move all their clients to Azure AD join and put servers in resource forests.

NTLM has got to go and hardware/virtualization based security like device guard has to become the norm.

[merb]

because I know several "security" appliances where their http/https proxy only allows authentication via NTLM. And SPA (Exchange) still uses NTLM. And also Windows AD falls back to NTLM if krb is not available.

[youdontknowtho]

For a long time you couldn't setup a domain trust without NTLM.

[kazinator]

Are you saying that if you disable NTLM, this hole is closed? I.e. when Explorer processes an icon file with a URL, it will not pass an NTLM hash to a remote server?

What is "disable NTLM", exactly: what does/doesn't happen?

Does it mean that NTLM hashes don't exist any more and therefore can't be sent anywhere?

[Spooky23]

Lots of places are still running Windows 2003 or 2000 and thus have critical infrastructure that uses NTLM.

Also, many, many places who do upgrade turn on legacy crap to interoperate and never turn them off. It's a lot of work to disable it, and the systems that still use it are usually old crap that isn't budgeted.