|
|
|
|
|
|
by yrro
1365 days ago
|
|
|
Can a Windows expert chime in here. Why is the NT hash even calculated any more? Is it still the default? Can group policy be configured to tell everything to not used to disable NTLM everywhere? And can't AD be configured to disable RC4 everywhere? Do MS ever plan to properly deprecate NTLM/RC4, disable it in new domains and start displaying prominent warnings when they're enabled? |
|
|
For legacy reasons, I assume.
> Is it still the default?
Yes
> Can group policy be configured to tell everything to not used to disable NTLM everywhere?
It can, at least for domain-joined Windows machines. Most environments can't afford to disable NTLM though, because some legacy systems rely on it. However, Microsoft recommends disabling it.
> And can't AD be configured to disable RC4 everywhere?
Yes
> Do MS ever plan to properly deprecate NTLM/RC4, disable it in new domains and start displaying prominent warnings when they're enabled?
I'm not aware of such plans. If I were to guess, then I'd reckon they want everyone to move to Azure and let onpremises AD die.