Disable use of NTLMv1

Question

Hi,

We are doing some testing on disabling the use of NTLMv1. (we have also implemented logging for a while), I have configured a GPO with the following settings: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level = 5

I have deployed this GPO to one Windows Server 2019 server, and from the local policy I can see that it has been applied.

If I login to another server then, and try to map a share with IP (\10.0.0.1\c$) it gives me the error below in the event log, and the mapping works. I thought it would fail because when using IP instead of FQDN it uses NTLM. (If I add the user to protected user group, then the mapping fails since NTLM then is disabled by the user group)

So my question is, do I have to assign this GPO also to the domain controller that the server authenticate against ? I hope not since I want to implement this carefully, and was hoping to take one server at the time, and then when all servers and clients are configured I could then configure the domain controllers.

Thanks for any reply

/R

Andy

Answer 1

Hi @Andreas

Before disabling NTLMv1, you should identify the services and machines that they still use it.

You can monitor from the event viewer of all DCs, where you can check if there are connection attempts with ntlmv1.

You can start with the servers first then the client machines. In other hand , I recommend you to disable it on the servers and client workstations gradually in order to be able to control incidents generated after the deactivation of ntlmv1 and not to exceed the capacity of the support team.

For domain controllers, I also recommend that you proceed gradually, even if NTLMv1 is disabled on all servers and client workstations, it is possible to have applications (non-microsoft)or equipment that authenticates via ntlmv1.

Please don't forget to mark helpful answer as accepted