To mitigate these risks organizations are advised to enable audit logs for NTLM authentication to monitor and identify applications requesting NTLMv1 messages. Additionally, ensuring applications are not misconfigured and keeping systems updated are critical steps. These measures are particularly important as many organizations might falsely believe their networks are secure when relying on the Group Policy to disable NTLMv1. Vigilance in detecting vulnerable applications and verifying configuration settings is essential to addressing this threat.

The findings align with broader concerns about NTLM vulnerabilities and other security issues in widely used software. For instance, security researchers recently uncovered a "zero-day behavior" in PDF artifacts that could leak local net-NTLM information through Adobe Reader or Foxit PDF Reader under certain conditions. This vulnerability has been patched in Foxit version 2024.4 for Windows. Similarly, Windows 11 security features (pre-version 24H2) have been shown to bypass vulnerabilities allowing kernel-level arbitrary code execution. These discoveries underscore the need for continuous updates, thorough auditing, and proactive security measures in enterprise environments.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Security Bypass

Remediation

• Turn on auditing for NTLM authentication across the network to identify systems or applications attempting to use NTLMv1.
• Monitor logs for suspicious authentication attempts or applications configured to use NTLMv1.
• Identify and reconfigure any on-premise applications that enable NTLMv1 authentication through the Netlogon Remote Protocol (MS-NRPC) ParameterControl settings.
• Ensure the LMCompatibilityLevel registry key on all systems is set to the highest possible level (5 or higher) to enforce NTLMv2 or disable NTLM altogether.
• Update to the latest versions of Windows and applications, such as Windows 11 version 24H2 or Windows Server 2025, which have officially removed NTLMv1.
• Regularly apply security updates to address vulnerabilities in software like Adobe Reader or Foxit PDF Reader, which have been linked to NTLM-related flaws.
• Explicitly disable NTLMv1 across the network using Group Policy and confirm that no misconfigurations override this policy.
• Transition to more secure authentication protocols, such as Kerberos, for domain authentication.
• Implement Network Segmentation: Isolate legacy systems or applications that require NTLMv1 to limit exposure.
• Use penetration testing to identify potential misconfigurations or vulnerable applications that could bypass security policies.
• Actively search for indicators of NTLM abuse, such as unexpected NTLM traffic or malicious relay attempts.
• Prepare for incidents involving NTLM exploitation by establishing clear response and recovery protocols.
• Regularly simulate scenarios involving NTLM bypass to ensure readiness.