Introduction

In the ever-evolving landscape of cybersecurity, legacy protocols like NTLM (NT LAN Manager) continue to pose significant security risks. Despite being deprecated, NTLM remains prevalent in many environments, making it a prime target for attackers. This article delves into the vulnerabilities associated with NTLM, explores recent developments, and provides actionable strategies to harden NTLM authentication and protect credentials in 2025.

Understanding NTLM and Its Vulnerabilities

NTLM is a suite of Microsoft security protocols designed to provide authentication, integrity, and confidentiality to users. However, it has several inherent weaknesses:

  • Pass-the-Hash Attacks: Attackers can capture NTLM hashes and reuse them to authenticate as the user without needing the plaintext password.
  • Relay Attacks: NTLM is susceptible to relay attacks, where an attacker intercepts and forwards authentication requests to gain unauthorized access.
  • Weak Cryptography: NTLM relies on outdated cryptographic methods, making it vulnerable to brute-force attacks and hash cracking.

Recent Developments and Vulnerabilities

CVE-2024-38200: NTLM Hash Exposure in Microsoft Office

In August 2024, Microsoft disclosed a high-severity vulnerability (CVE-2024-38200) affecting Office 2016 and other versions. This flaw allows remote attackers to access NTLM hashes through specially crafted files, potentially leading to credential theft and unauthorized access. Microsoft recommends blocking outbound NTLM traffic and adding users to the Protected Users Security Group as mitigations. Source

CVE-2025-24054: Critical NTLM Hash Flaw

In April 2025, a critical vulnerability (CVE-2025-24054) was identified, enabling attackers to steal NTLM credentials by having a user view a malicious file in Windows Explorer. This vulnerability underscores the urgency of transitioning away from NTLM to more secure authentication methods like Kerberos. Source

Microsoft's Response and Security Enhancements

Microsoft has taken significant steps to mitigate NTLM-related vulnerabilities:

  • Extended Protection for Authentication (EPA): EPA has been enabled by default in services like Exchange Server 2019 CU14, Active Directory Certificate Services (AD CS), and LDAP in Windows Server 2025. EPA helps prevent NTLM relay attacks by ensuring that authentication requests are bound to the intended server. Source
  • SMB Security Hardening: In Windows Server 2025 and Windows 11 24H2, SMB signing is required by default for all inbound and outbound connections. Additionally, the SMB client now supports blocking NTLM authentication for remote outbound connections, reducing the risk of NTLM-based attacks. Source

Strategies to Harden NTLM Authentication

To enhance security and protect credentials, organizations should implement the following strategies:

1. Disable NTLM Authentication Over SMB

Use PowerShell to disable NTLM authentication over SMB:

CODEBLOCK0

This command prevents the SMB client from using NTLM for remote connection authentication, mitigating the risk of NTLM relay attacks. Source

2. Enforce Kerberos Authentication

Transition from NTLM to Kerberos, which offers stronger security features:

  • Mutual Authentication: Both client and server verify each other's identity.
  • Stronger Cryptography: Kerberos uses modern encryption algorithms, reducing the risk of brute-force attacks.

Configure Group Policy to enforce Kerberos authentication:

  1. Open Group Policy Management Console (GPMC).
  2. Navigate to:

``INLINECODE0 `INLINECODE1 `INLINECODE2 ``

  1. Enable the following settings:
  • Turn On Virtualization-Based Security: Set to "Enabled"
  • Select Platform Security Level: Set to "Secure Boot and DMA Protection"
  • Credential Guard Configuration: Set to "Enabled with UEFI Lock"

Apply the Group Policy settings and restart the system. Source

4. Monitor and Restrict NTLM Usage

Regularly audit NTLM usage to identify and mitigate potential vulnerabilities:

  • Enable Auditing: Configure auditing policies to monitor NTLM authentication attempts.
  • Restrict NTLM Traffic: Use Group Policy to restrict or disable NTLM authentication where possible.
  • Educate Users: Train users to recognize and avoid actions that could expose NTLM credentials, such as opening untrusted files or links.

Conclusion

While NTLM has been a cornerstone of Windows authentication, its vulnerabilities necessitate a shift towards more secure protocols like Kerberos. By implementing the strategies outlined above, organizations can significantly reduce the risk of credential theft and enhance their overall security posture in 2025 and beyond.