Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,467
- Points
- 113
What is wrong with the NTLM protocol and should I disable it?
Microsoft has updated the Windows 11 security policy to allow administrators to block the NTLM authentication protocol when working with SMB (Server Message Block). This feature allows you to protect your system from attacks using the "pass-the-hash" and NTLM relay methods.
SMB is an application-level network protocol that shares files, printers, and various ports between devices on the same network. It includes authentication and encryption mechanisms that should ensure secure access to resources, but this is where vulnerabilities often arise that can be used for attacks.
Early versions of Windows used SPNEGO technology for authentication. It supported several protocols, including Kerberos and NTLM — not the most reliable tool that creates hashes from user passwords, and then passes them to the server for verification.
The new feature significantly reduces risks: password hashes cannot be intercepted and hacked if you refuse to send them to remote servers. An administrator can disable NTLM through Group policies or in PowerShell. In the future, the developers plan to create a list of exceptions — specific servers for which the lock will not apply.
In addition, an additional function for managing SMB dialects has been implemented in the system. It allows you to restrict the connection of old and unprotected devices. The system now requires SMB signatures (security signatures) by default for all connections (this can be considered an additional barrier against NTLM relay attacks).
The update is part of a major Microsoft initiative to improve security across the Windows and Windows Server product lines. Earlier in 2023, the legacy SMB1 protocol was disabled and an SMB authentication rate limiter was introduced to minimize the risks of brute-force attacks.
Thus, the new feature will provide administrators with more opportunities to control the network and protect user data.
Microsoft has updated the Windows 11 security policy to allow administrators to block the NTLM authentication protocol when working with SMB (Server Message Block). This feature allows you to protect your system from attacks using the "pass-the-hash" and NTLM relay methods.
SMB is an application-level network protocol that shares files, printers, and various ports between devices on the same network. It includes authentication and encryption mechanisms that should ensure secure access to resources, but this is where vulnerabilities often arise that can be used for attacks.
Early versions of Windows used SPNEGO technology for authentication. It supported several protocols, including Kerberos and NTLM — not the most reliable tool that creates hashes from user passwords, and then passes them to the server for verification.
The new feature significantly reduces risks: password hashes cannot be intercepted and hacked if you refuse to send them to remote servers. An administrator can disable NTLM through Group policies or in PowerShell. In the future, the developers plan to create a list of exceptions — specific servers for which the lock will not apply.
In addition, an additional function for managing SMB dialects has been implemented in the system. It allows you to restrict the connection of old and unprotected devices. The system now requires SMB signatures (security signatures) by default for all connections (this can be considered an additional barrier against NTLM relay attacks).
The update is part of a major Microsoft initiative to improve security across the Windows and Windows Server product lines. Earlier in 2023, the legacy SMB1 protocol was disabled and an SMB authentication rate limiter was introduced to minimize the risks of brute-force attacks.
Thus, the new feature will provide administrators with more opportunities to control the network and protect user data.
