Older protocols are hard to kill. From consumer-based protocols like SMBv1 to network-based protocols like Windows NT LAN Manager (NTLM), we typically need time and planning to move off protocols that we rely on. Many of us are still using NTLM to authenticate to our networks especially for remote access during the pandemic. This old but well-used protocol was the default for network authentication in the Windows NT 4.0 operating system. It is less secure than more modern protocols such as Kerberos.Why is NTLM a concern? Generally speaking, the older a protocol is the more likely it is to depend on older ciphers. NTML v1 uses the DES block cipher algorithm using an MD4 hash. It\u2019s possible to break it by brute force mainly because a full 128-bit key is not used. NTLM v2 uses a stronger hash algorithm and encryption. Still, it can be exploited using pass-the-hash or man-in-the-middle techniques.If possible, wean yourself off using NTLM. At a minimum, you should know exactly when and where NTLM is still being used in your network.How to audit for NTLM useFirst start by auditing networks to see if NTLM v1 is being used. To find applications that use NTLMv1, enable \u201cLogon Success Auditing\u201d on the domain controller and then look for \u201cSuccess auditing Event 4624\u201d, which contains information about the version of NTLM being used.You\u2019ll see many events and it might be difficult to find if NTLM is still being used. An easier means to determine if you can disable NTLM is to enable a setting to audit whether you can restrict it. To do this, set a group policy on your domain controller by editing your Group Policy management console:Go to \u201cForest\u201d.Go to \u201cDomains\u201d.Browse to the \u201cDefault domain policy\u201d and right-click on it.Select \u201cEdit\u201d.Scroll and select \u201cComputer Configuration\u201d.Select \u201cPolicies\u201d.Select \u201cWindows Settings\u201d.Select \u201cSecurity Settings\u201d.Select \u201cLocal Policies\u201d.Select \u201cSecurity Options\u201d.Select \u201cEnable Network Security: Restrict NTLM: Audit NTLM authentication\u201d in this domain.Once the policy is active, the NTLM authentication requests are logged to the operational log located in \u201cApplication and Services\u201d, then in \u201cMicrosoft\u201d, then in \u201cWindows\u201d then in the NTLM log on every server where the Group Policy Object (GPO) is set.Select the policies that just audits first rather than \u201cNetwork Security: Incoming NTLM traffic\u201d. This is supported on Server 2008 R2 and above. There are two policies. First, once you enable \u201cNetwork Security: Restrict NTLM: Audit incoming NTLM Traffic\u201d, select either \u201cEnable auditing for domain accounts\u201d or \u201cEnable auditing for all accounts\u201d. Susan BradleyEnable auditing for all accountsSecond, enable \u201cNetwork security: Restrict NTLM: Audit NTLM authentication in this domain\u201d. For this setting you can choose \u201cEnable for domain accounts to domain servers\u201d, \u201cEnable for domain accounts\u201d, \u201cEnable for domain servers\u201d, or \u201cEnable all\u201d. Susan BradleyAudit for NTLM authentication in domain serversNow go back to the operational logs and review what processes in your domain are using this protocol for authentication and access. You might find remote access processes are using NTLM because it doesn\u2019t require a direct connection to the domain controller. Processes such as Remote Desktop Protocol (RDP) authenticating through a remote desktop gateway are apt to use NTLM as the means for passing along the authentication to the server.Review if you can set the group policy of \u201cSend NTLMv2 response Only\/Refuse LM &NTLM" for \u201cNetwork Security: LAN Manager Authentication\u201d.Disable NTLM when using Azure Active DirectoryMicrosoft recommends that you do not rely on NTLM once you use Azure for domain services. Microsoft recommends the following procedures to harden your Azure Active Directory (Azure AD) domain services:Disable NTLM v1 and TLS v1 ciphers.Disable NTLM password hash synchronization.Disable the ability to change passwords with RC4 encryption.Enable Kerberos armoring.To perform these actions, sign into Azure AD Domain Services and choose your domain. On the left side, select \u201cSecurity settings\u201d and disable the following settings:TLS 1.2 only modeNTLM authenticationNTLM password synchronization from on-premisesRC4 encryptionEnable the \u201cKerberos armoring\u201d setting.Keep in mind that Azure AD is not the same thing as Active Directory (AD). It adds single sign-on to existing AD. Unless you are using Office 365 and nothing else, the authority for user identities still resides with AD. AD provides key functions to a domain such as storing information about users, computers, and groups or keeping track of objects such as organizational units, domains, and forests. It also provides common authentication providers for the domain as well as LDAP, NTLM, and Kerberos to ensure secure authentication between domain joined devices. Most importantly, AD allows fine-grained control and management of computers, users, and servers.Azure AD provides Microsoft\u2019s cloud-based identity and access management services and allows for access to Microsoft 365, Azure resources, and other software-as-a-service applications. Azure AD provides identity as a service for applications across different cloud services.Inventory your network, both on-premises and cloud services, to determine the most secure authentication setting you can choose for your domain. Often with legacy applications the best you can do is NTLM. However, limit the use of NTLM v1 and know exactly where NTLM v2 is being used. Start planning now to move away from it and check with those applications and vendors that are still mandating NTLM.