A brand new zero-day vulnerability in NTLM found by researchers at 0patch permits attackers to steal NTLM credentials by having a person view a specifically crafted malicious file in Windows Explorer — no want for the person to open the file. These password hashes can be utilized for authentication relay assaults or for dictionary assaults on the password, each for identification takeover.
NTLM refers to a collection of previous authentication protocols from Microsoft that present authentication, integrity, and confidentiality to customers. While NTLM was formally deprecated as of June, our analysis exhibits that 64% of Active Directory person accounts recurrently authenticate with NTLM — proof that NTLM remains to be broadly used regardless of its identified weaknesses.
The flaw is exploitable even in environments utilizing NTLM v2, making it a big danger to enterprises that haven’t but moved to Kerberos and are nonetheless counting on NTLM. Considering Microsoft might not patch this difficulty for some time, enterprise defenders ought to take steps to mitigate the vulnerability of their environments. This Tech Tip outlines how dynamic entry insurance policies, just a few hardening steps, and multifactor authentication (MFA) may also help restrict makes an attempt to take advantage of this vulnerability. Upgrading the protocol, the place potential, may get rid of the problem fully.
What Is the NTLM Vulnerability?
When a person views a malicious file in Windows Explorer — whether or not by navigating to a shared folder, inserting a USB drive containing the malicious file, or simply viewing a file within the Downloads folder that was routinely downloaded from a malicious Web web page — an outbound NTLM connection is triggered. This causes Windows to routinely ship NTLM hashes of the at present logged-in person to a distant attacker-controlled share.
These NTLM hashes can then be intercepted and used for authentication relay assaults and even dictionary assaults, granting attackers unauthorized entry to delicate programs. Attackers also can probably use the uncovered passwords to entry the group’s software-as-a-service (SaaS) setting because of the excessive charges of synced customers.
The difficulty impacts all Windows variations from Windows 7 and Server 2008 R2 as much as the most recent Windows 11 24H2 and Server 2022.
The basic drawback with NTLM lies in its outdated protocol design. NTLM transmits password hashes as a substitute of verifying plaintext passwords, making it weak to interception and exploitation. Even with NTLM v2, which makes use of stronger encryption, the hashes can nonetheless be captured and relayed by attackers. NTLM’s reliance on weak cryptographic practices and lack of safety towards relay assaults are key weaknesses that make it extremely exploitable. Moreover, NTLM authentication doesn’t assist trendy safety features, resembling MFA, leaving programs open to a wide range of credential theft strategies, resembling pass-the-hash and hash relaying.
What Defenders Need to Do
To mitigate this vulnerability, Microsoft has up to date earlier steering on how one can allow Extended Protection for Authentication (EPA) on LDAP, Active Directory Certificate Services (AD CS), and Exchange Server. On Windows Server 2022 and 2019, directors can manually allow EPA for AD CS and channel binding for LDAP. There are scripts supplied by Microsoft to activate EPA manually on Exchange Server 2016. Where potential, replace to the most recent Windows Server 2025 because it ships with EPA and channel binding enabled by default for each AD CS and LDAP.
Some organizations should still be depending on NTLM resulting from legacy programs. Those groups ought to think about further authentication layers, resembling dynamic risk-based insurance policies, for safeguarding present NTLM legacy programs towards exploitations.
Harden LDAP configurations. Configure LDAP to implement channel binding and monitor for legacy purchasers that won’t assist these settings.
Check impression on SaaS. If you’re uncertain whether or not there are functions or purchasers in your setting that depend on NTLMv2, you should use Group Policy to allow the Network Security: Restrict NTLM: Audit incoming NTLM site visitors coverage setting. This is not going to block NTLMv2 site visitors however will log all makes an attempt to authenticate utilizing NTLMv2 within the Operations Log. By analyzing these logs, you possibly can establish which shopper functions, servers, or companies nonetheless depend on NTLMv2, so you may make focused changes or updates.
Using Group Policy to restrict or disable NTLM authentication through the Network Security: Restrict NTLM setting will scale back the chance of fallback eventualities the place NTLM is unintentionally used.
Monitor SMB site visitors. Enabling SMB signing and encryption may also help forestall attackers from impersonating respectable servers and triggering NTLM authentication. Blocking outbound SMB site visitors to untrusted networks may even scale back the chance of NTLM credential leakage to rogue servers. Implement community monitoring and alerting for uncommon SMB site visitors patterns, significantly outbound requests to unknown or untrusted IP addresses.
Leave NTLM behind. NTLM has been deprecated. Administrators ought to audit NTLM utilization to establish which programs nonetheless depend on NTLM. Organizations ought to prioritize transitioning these programs away from NTLM to extra trendy authentication protocols, resembling Kerberos. Once a extra trendy protocol is in place, implement MFA so as to add a further layer of safety.
Taking these steps will assist organizations tackle the elemental flaws in NTLM and enhance their safety posture.