Critical Active Directory Flaw Lets Attackers Bypass NTLMv1 Security Controls

Critical Active Directory Flaw Lets Attackers Bypass NTLMv1 Security Controls

Microsoft Active Directory Group Policy Vulnerability Exposes NTLM Authentication Bypass

Security researchers at Silverfort have uncovered a significant vulnerability in Microsoft’s Active Directory Group Policy designed to disable NT LAN Manager (NTLM) v1 authentication. The flaw allows simple misconfigurations in on-premise applications to override security measures, potentially exposing networks to cyber attacks.

NTLM Authentication Protocol Status
– NTLM remains widely used in Windows environments for user authentication
– Protocol deprecated as of mid-2024
– Officially removed from Windows 11 (version 24H2) and Windows Server 2025
– NTLMv2 offers improved security against relay attacks

The Vulnerability
– Bypass occurs through Netlogon Remote Protocol (MS-NRPC)
– Exploits NETLOGON_LOGON_IDENTITY_INFO data structure
– ParameterControl field allows NTLMv1 authentication despite Group Policy restrictions
– Organizations believing they’re secure may remain vulnerable

Mitigation Strategies
1. Enable audit logs for all NTLM authentication
2. Monitor applications requesting NTLMv1 authentication
3. Maintain current system updates
4. Review on-premise application configurations

Related Developments
– PDF vulnerability discovered affecting Adobe Reader and Foxit PDF Reader
– Foxit addressed the issue in version 2024.4
– Windows 11 kernel-level code execution vulnerabilities identified (pre-24H2)

The discovery highlights the importance of thorough security configurations and regular system monitoring in enterprise environments.

Share This Article