Thursday, May 8, 2025
HomeCyber Security NewsHackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth...

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Published on

SIEM as a Service

Follow Us on Google News

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured on-premises applications can bypass Group Policy settings intended to disable NTLMv1. This vulnerability enables attackers to exploit the outdated authentication protocol.

The bypass allows attackers to intercept NTLMv1 traffic, crack user credentials offline, and gain unauthorized access within the network that poses a significant risk to organizations reliant on on-premises applications and those with diverse device environments. 

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

- Advertisement - Google News

Risks of NTLMv1 Exploitation in On-Premises Applications

NTLMv1 is an outdated authentication protocol and remains a security risk in many Windows environments. While Microsoft has deprecated NTLMv1 active development and implemented measures like domain-wide blocking, its complete removal remains challenging due to legacy systems. 

Organizations must carefully assess their reliance on NTLMv1 and implement robust mitigation strategies by prioritizing the migration to more secure authentication protocols like Kerberos and modern alternatives to minimize their exposure to these risks.

Simple NTLM Authentication 

The client initiates authentication by sending a Negotiate message to the server and declaring its NTLM support, while the server responds with a Challenge message containing a random number. 

Then the client hashes this number with its credentials and sends the result along with its username, domain, and session information in an Authenticate message while the server validates the hash and grants the access if successful. 

NTLMv1 Vulnerabilities

NTLMv1 suffered from weaknesses such as weak encryption (DES), which is a predictable 8-byte server challenge and the lack of source/destination information that enabled relay attacks. 

Reject NTLMv1 with GP enabled 

NTLMv2 addressed these issues by implementing stronger RC4 encryption  by introducing a client challenge and incorporating AV_PAIRS to create unique session keys for each authentication.

Active Directory servers rely on the Netlogon RPC interface to evaluate NTLM messages remotely and verify credentials against the Domain Controller and ensure secure authentication.

The MS-NRPC protocol specification contains a flag within the NETLOGON_LOGON_IDENTITY_INFO structure that allows applications to bypass Group Policy restrictions and use NTLMv1 authentication even when it is explicitly disabled. 

Bypass the NTLMv1 Group Policy.  

This “Allow NTLMv1 authentication” flag within the ParameterControl field instructs the Netlogon service to permit NTLMv1 authentication despite the LMCompatibilityLevel registry key being set to prevent it. 

By taking advantage of this flag, malicious applications are able to get around security measures that are intended to completely eliminate the vulnerabilities and are associated with NTLMv1.

The recent disclosure of an NTLMv1 bypass in Windows highlights the limitations of Group Policy in fully mitigating this outdated authentication protocol. 

While Windows clients with higher LMCompatibilityLevel settings resist NTLMv1 requests, non-Windows clients and certain applications can still trigger NTLMv1 authentication that bypasses security measures. 

According to Silver Fort, organizations must enable NTLM audit logs by comprehensively mapping applications using NTLM and proactively detecting and remediating vulnerable applications by implementing modern authentication methods like SSO or Kerberos. 

This proactive approach aligns with Microsoft’s commitment to enhancing security by phasing out NTLMv1 and demonstrates the importance of continuous monitoring and remediation efforts to ensure a secure IT environment.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...