Enhancing NTLM Authentication Settings for Improved Security: A Comprehensive Guide - ToddMaxey/Technical-Documentation GitHub Wiki

Enhancing NTLM Authentication Settings for Improved Security: A Comprehensive Guide

The NTLM (NT LAN Manager) protocol, a legacy authentication system used in Windows environments, has been widely considered less secure than modern protocols such as Kerberos. However, many organizations still rely on NTLM for compatibility with older systems or applications. Microsoft has provided several settings to improve the security of NTLM authentication. This article outlines the best practices for configuring these settings across your domain using Group Policy Objects (GPOs) and the Windows Registry. The goal is to harden the security of NTLM communications, preventing potential attacks such as relay attacks, man-in-the-middle attacks, and credential theft.

1. Configuring NTLM Authentication via GPO

Using Group Policy Objects (GPOs) is the most effective way to enforce NTLM settings across both client and server machines in your domain. By centralizing the configuration, you ensure consistency and simplify management.

GPO Location:

To configure NTLM settings, navigate to the following GPO location:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Key NTLM Settings:

Network security: LAN Manager authentication level

This policy defines the level of NTLM authentication to be used. The available settings are as follows:

  1. Send LM & NTLM responses:

    • Clients use LM and NTLM authentication without NTLMv2 session security.

    • Domain controllers accept LM, NTLM, and NTLMv2 authentication.

  2. Send LM & NTLM - use NTLMv2 session security if negotiated:

    • Clients use LM and NTLM, and NTLMv2 session security if the server supports it.

    • Domain controllers accept LM, NTLM, and NTLMv2 authentication.

  3. Send NTLM response only:

    • Clients use only NTLM authentication and NTLMv2 session security if supported.

    • Domain controllers accept LM, NTLM, and NTLMv2 authentication.

  4. Send NTLMv2 response only:

    • Clients use NTLMv2 authentication exclusively with NTLMv2 session security if supported.

    • Domain controllers accept LM, NTLM, and NTLMv2 authentication.

  5. Send NTLMv2 response only\refuse LM:

    • Clients use NTLMv2 authentication exclusively, with NTLMv2 session security.

    • Domain controllers refuse LM (accept only NTLM and NTLMv2).

  6. Send NTLMv2 response only\refuse LM & NTLM:

    • Clients use NTLMv2 authentication exclusively, with NTLMv2 session security.

    • Domain controllers refuse both LM and NTLM, accepting only NTLMv2 authentication.

Recommended Setting:

"Send NTLMv2 response only\refuse LM & NTLM" (Setting 5) is the most secure option. It ensures that only NTLMv2 authentication is used, preventing the use of outdated, insecure NTLM or LM protocols.

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients AND Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

These settings enforce minimum session security requirements for NTLM, ensuring that communications use stronger encryption and integrity.

  • Require NTLMv2 session security: Ensures message integrity by requiring NTLMv2 session security.

  • Require 128-bit encryption: Ensures strong encryption (128-bit) is used for NTLM sessions.

Recommended Setting:
  • Enable both "Require NTLMv2 session security" and "Require 128-bit encryption" to ensure secure NTLM communications.

2. Registry-Based Configuration for NTLM Settings

For environments where GPOs cannot be applied or for specific configurations, registry settings provide an additional method for configuring NTLM-related settings. Below are the essential registry settings to secure NTLM communications:

Registry Location:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control

LMCompatibilityLevel

This registry key controls the LAN Manager authentication level and corresponds to the GPO setting described earlier.

  • Level 0: Allows LM and NTLM authentication without using NTLMv2 session security.

  • Level 1: Uses NTLM and NTLMv2 session security if negotiated.

  • Level 2: Allows NTLM authentication only, with NTLMv2 session security if supported.

  • Level 3: Allows only NTLMv2 authentication, with NTLMv2 session security.

  • Level 4: Domain controllers refuse LM responses, only accepting NTLM and NTLMv2.

  • Level 5: Domain controllers refuse both LM and NTLM responses, accepting only NTLMv2.

Recommended Setting:

Set LMCompatibilityLevel to 5 for maximum security. This setting forces the use of NTLMv2, rejecting LM and NTLM authentication.

NtlmMinClientSec and NtlmMinServerSec

These registry keys control the minimum security for NTLM clients and servers, defining requirements for message integrity and encryption.

  • 0x00000010: Message integrity (ensures data hasn't been tampered with).

  • 0x00000020: Message confidentiality (ensures data is encrypted).

  • 0x00080000: NTLMv2 session security (forces NTLMv2 security).

  • 0x20000000: 128-bit encryption (ensures strong encryption).

  • 0x80000000: 56-bit encryption (weak encryption, should be avoided).

Recommended Setting:

Set NtlmMinClientSec and NtlmMinServerSec to 0x20000000 for 128-bit encryption, or 0x20080030 for high security, which includes message integrity, message confidentiality, NTLMv2 session security, and 128-bit encryption.

3. Summary of Recommended NTLM Settings

For optimal security, apply the following settings:

Group Policy Settings:

  • Network security: LAN Manager authentication level: Set to "Send NTLMv2 response only\refuse LM & NTLM" (Setting 5).

  • Network security: Minimum session security for NTLM SSP:

    • Enable "Require NTLMv2 session security".

    • Enable "Require 128-bit encryption".

Registry Settings:

  • LMCompatibilityLevel: Set to 5 to enforce NTLMv2.

  • NtlmMinClientSec and NtlmMinServerSec: Set both to 0x20000000 for 128-bit encryption or 0x20080030 for high security.

4. Implementation and Best Practices

  1. Use GPOs for Domain-Wide Enforcement: Since these settings need to be applied to all machines in the domain, using GPOs is the most efficient method for ensuring consistency and simplifying management.

  2. Test Before Full Deployment: As these settings can impact older systems and applications that rely on weaker authentication protocols, thoroughly test the settings in a non-production environment before rolling them out globally.

  3. Monitor and Audit: After applying these settings, actively monitor the environment for any authentication issues or unexpected behavior. Ensure that all systems can authenticate without issues and review event logs for potential failures.

  4. Use NTLMv2 Exclusively: Moving away from LM and NTLM is a crucial step in hardening your environment. NTLMv2 provides much stronger encryption and protection against modern attack methods.

  5. Regular Updates: Periodically review these settings and update them as needed to maintain a high security standard in your environment.