NTLM Explained - Windows New Technology LAN Manager

Windows New Technology LAN Manager (WNT LAN Mgr) is a suite of Microsoft authentication protocols based on symmetric key encryption technology and resource servers as requirements.

Although replaced largely by Kerberos, NTLM remains widely deployed on older systems, and its usage can be managed through either network security policies or registry entries.

NTLM Authentication

NTLM (Network Trust Level Manager) is a suite comprises NTLMv1 and NTLMv2 session protocols as well as the LAN Manager authentication Protocol (LM), password hash function for LAN Manager, and password hashing functionality for password hashes for password hash functions used with Windows operating systems on domains, home networks, and workgroup networks using the challenge-response mechanism to authenticate users and computers.

Under NTLM, client computers submit requests to servers using the DES algorithm; once received, these requests and the user password hash are encrypted using NTLM and sent back for validation; if these match, then decrypting of the ticket is performed and checking that the client can access the resource.

NTLM Authentication

Due to significant security gaps within that technology, the NTLM protocol was intended to replace the older LM hash method. However, some environments still use NTLM due to its compatibility with older clients and servers; other applications use it, such as those that require local logon for WORKGROUPs or part of Microsoft Active Directory.

Although NTLM may be less secure than Kerberos, it remains the safest solution over legacy login protocols like LM and the old NT4 login protocol, which send passwords over the network and could be intercepted. Many organizations still employ these less-than-secure protocols today due to their popularity among organizations of various kinds.

To ensure maximum security, NTLM requires that the browser send user information directly to Moodle server, which compares this with stored credentials on the MS Active Directory domain it belongs to. This enables the server to check that a user is authenticated in their environment when connecting from another host that might try to exploit an open NTLM session. To bolster the security of this feature, it is advised that both internal and external profiles be utilized.

NTLMv2 Authentication

NTLM (Network Time Lockout and Login Mechanism) is a suite of Microsoft protocols intended to ensure user authentication, integrity, and confidentiality. NTLM is used in Windows Single Sign-On processes (SSO), enabling users to log in once to access all servers and applications on a network at once. NTLM employs a challenge/response mechanism requiring clients to prove they possess their password without sending it over the web.

Though more secure authentication protocols exist, NTLM remains popular on many networks with Microsoft products. Since legacy systems may be difficult to replace, IT teams tend to err on the side of caution regarding disabling NTLM due to fears that undermining it might compromise critical business processes or cause downtime.

NTLM is deeply embedded within Windows, making its removal challenging without disrupting production systems. There are, however, steps you can take to mitigate cyberattack risks by increasing NTLM security levels.

When users log onto a Windows server or workstation, they authenticate themselves by providing a ticket to the server containing information such as their unique machine ID and NT hash of the password. Once decrypted by the server, this ticket can be used to validate credentials provided by users and grant them access to resources within.

Microsoft initially preferred NTLM and NTLMv2; however, after discovering security weaknesses with these protocols, they released Kerberos, which provides more secure authentication methods. Unfortunately, these two have some security flaws, including not salting password hashes to detect valid accounts on the system and gain entry.

To combat these vulnerabilities, the webMethods NTLM SSO plugin offers the NTLM V2 option to encrypt challenge and response communications using NTLMv2. To use it, download and install Jespa Java from IOPLEX Software in the product's lib folder before selecting this feature in Select Components drop-down box or manually copy/paste it into the product's codebase folder. To activate it on the webMethods NG SSO plugin, enable it via the Select Components drop-down box or download the Jespa Java software library manually before selecting it from the webMethods NG SSO plugin NTLMv2.

NTLMv1 Authentication

NTLM authentication employs a challenge-response approach and is commonly used for local logon, network login for WORKGROUPs and HTTP servers, Single Sign-On (SSO), and Single Sign-Off. Unfortunately, this method remains popular despite Microsoft's recommendation against its use; to disable it entirely, use Group Policy Setting Network Security: LAN Manager authentication level instead.

NTLMv1 authentication involves exchanging challenge-response messages based on hashes between the server and client. Each challenge-response pair consists of the NT hash of user data and an 8-byte challenge value which must match exactly to authenticate. MS-CHAPv2, an alternative authentication protocol, provides a more secure method.

As part of the authentication process, user passwords are transmitted from client to server as part of authentication. Suppose an attacker manages to intercept this data and blocks your password hash. In that case, they may attempt a series of password combinations to identify its correct value through brute force attacks against the LM hash. Once an attacker possesses your hash value, they can gain entry to your system and gain access.

It can be a severe threat to the administrator account on your server, which allows access to system settings and computer management. To safeguard against such scenarios, the best way is to enable Logon Success Auditing on domain controllers - this will create event log entries stating what version of NTLM an endpoint is using and provide other essential security details.

Unfortunately, many older applications continue to use LM and NTLMv1 from the 1990s and 2000s created by companies that no longer exist or have since been acquired; IT teams may be reluctant to break these old applications by disabling them NTLM.

It is possible to disable NTLMv1 by creating a DWORD parameter with value 0 named LmCompatibilityLevel in Registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa. Then in Group Policy Editor set Network Security: LAN Manager authentication level 5 so clients will no longer send either LM or NTLM responses and will instead have to send mandatory NTLMv2 responses from clients.

NTLMv3 Authentication

NTLM, first published in 1993 and still used on some Windows computers today, employs a challenge-response system to determine whether those seeking access are who they say they are. Mainly used by Microsoft servers and workstations alike, this legacy protocol should be gradually phased out for Kerberos authentication.

Microsoft deprecated LM and NTLMv1, due to security flaws inherent to both programs, in Windows NT 4.0 SP4. As an alternative, they introduced NTLMv2, using higher-level HMAC-MD5 cryptography with better protection from replay attacks and man-in-the-middle attacks.

John logs onto a Windows workstation and sends an authentication request to the Key Distribution Center (KDC), responsible for authenticating users within an IU domain. His system sends this request, including his user's name and password entered, an NTLMv2 session security hash, client and server challenge hashes sent from John's PC, and his password, then compares them against each other to see if there is a match.

If they do, John can access network resources without incident. However, if the KDC does not have his correct password on file, it will compare his hash against each challenge response, which could result in brute force attacks that can exploit older hardware.

KDC can be protected against these types of attacks by setting the Group Policy editor Network security: LAN Manager authentication level policy to limit client devices' authentication levels and the session security protocol they negotiate. A registry setting may also work, though this may alter compatibility with some services and applications. LM and NTLM authentications should only be limited to specific servers, while all others must require NTLMv2.

A: The Microsoft New Technology LAN Manager or NTLM is an authentication protocol that uses an outmoded challenge-response process. Successfully used by Kerberos, NTLM is an SSO authentication protocol for applications that authenticate apps without an underlying password.

A: The LAN Manager is the overview between client and server by Mircosoft which allows personal devices to connect within a single network. It is used to share files, print sharing, various network security features, and different administration tools.

A: The detection of NTLM v1 is found through Logon success auditing with the help of controller success event 4624. This contains necessary information that tells about the NTLM version.

Next Generation Antivirus

Discover Endpoint Security Bundles
Discover Now
Endpoint Detection & Response

Gain full context of an attack to connect the dots on how hackers are attempting to breach your network.

Managed Detection & Response

We continuously monitor activities or policy violations, as well as threat hunting SOC Services, and 24/7 eyes on glass threat management.

Managed Extended Detection & Response

We continuously monitor activities or policy violations providing cloud and network virtualized containment, as well as threat hunting SOC Services, and 24/7 eyes on glass threat management.

ZeroDwell Containment

Move from Detection to Prevention With ZeroDwell Containment to isolate infections such as ransomware & unknown

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book A Demo
EDR - Dot Pattern