Jan 16, 2025Ravie LakshmananActive Directory / Vulnerability

Cybersecurity researchers have discovered that the Microsoft Active Directory Group Policy designed to disable NT LAN Manager (NTLM) v1 can be bypassed by a misconfiguration.

“A simple misconfiguration in on-premise applications can override the Group Policy, effectively negating the Group Policy designed to stop NTLMv1 authentications,” Silverfort researcher Dor Segal said in a report shared with The Hacker News.

NTLM is a widely used mechanism in Windows environments to authenticate users across a network. The legacy protocol, while not removed due to backward compatibility, poses a significant security risk if not properly configured.

“Meaning, organizations think they are doing the right thing by setting this group policy, but it’s still being bypassed by the misconfigured application,” Segal added.

To mitigate the risk posed by NTLMv1, it’s essential to enable audit logs for all NTLM authentication in the domain and keep an eye out for vulnerable applications that request clients to use NTLMv1 messages. Additionally, keeping systems up-to-date is crucial.

The latest findings follow a report from security researcher Haifei Li about a “zero-day behavior” in PDF artifacts uncovered in the wild that could leak local net-NTLM information when opened with Adobe Reader or Foxit PDF Reader under certain conditions. Foxit Software has addressed the issue with version 2024.4 for Windows.

The disclosure also comes as HN Security researcher Alessandro Iandoli detailed how various security features in Windows 11 (prior to version 24H2) could be bypassed to achieve arbitrary code execution at the kernel level.